J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

Input Validation Principles and Practices

Input Validation Principles and Practices

  • Comments 1


If you use a principle-based approach, you can get rid of classes of security issues.  SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices.  Here's a few of the bad practices:

Bad Practices

  • you're relying on client-side input
  • you're not validating input
  • you're ignoring that input includes querystring, cookies, file and url paths
  • you're making security decisions on user input
  • you're not "sanitizing" (i.e. make safe) output


The key to input and data validation is to use a principle-based approach.  Here's some of the core princpiples and practices:

Good Practices

  • validate length, range, format and type
  • use whitelisting techniques over blacklisting
  • keep user input out of the control path
  • don't make security decision from client input

If you use principle-based approach, you don't have to chase every new threat or attack or its variation.  Here's a few resources that help get you started:

Page 1 of 1 (1 items)