Input Validation Principles and Practices
If you use a principle-based approach, you can get rid of classes of security issues. SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices. Here's a few of the bad practices:
Bad Practices
- you're relying on client-side input
- you're not validating input
- you're ignoring that input includes querystring, cookies, file and url paths
- you're making security decisions on user input
- you're not "sanitizing" (i.e. make safe) output
The key to input and data validation is to use a principle-based approach. Here's some of the core princpiples and practices:
Good Practices
- validate length, range, format and type
- use whitelisting techniques over blacklisting
- keep user input out of the control path
- don't make security decision from client input
If you use principle-based approach, you don't have to chase every new threat or attack or its variation. Here's a few resources that help get you started: