Input Validation Principles and Practices



If you use a principle-based approach, you can get rid of classes of security issues.  SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices.  Here’s a few of the bad practices:


Bad Practices



  • you’re relying on client-side input

  • you’re not validating input

  • you’re ignoring that input includes querystring, cookies, file and url paths

  • you’re making security decisions on user input

  • you’re not “sanitizing” (i.e. make safe) output


The key to input and data validation is to use a principle-based approach.  Here’s some of the core princpiples and practices:


Good Practices



  • validate length, range, format and type

  • use whitelisting techniques over blacklisting

  • keep user input out of the control path

  • don’t make security decision from client input

If you use principle-based approach, you don’t have to chase every new threat or attack or its variation.  Here’s a few resources that help get you started:


Comments (1)

  1. Kevin Lam says:

    Hey J.D.,

    Nice blog posting — I just published a blog posting (first of 3 part series) on input validation at http://www.buildingsecurecode.com/2007/04/26/approaches-to-input-validation/.  

    Thanks,

    Kevin

    Kevin Lam

    Impacta LLC (http://www.impactalabs.com)

    "Risk management solutions working for you"