Input Validation Principles and Practices

If you use a principle-based approach, you can get rid of classes of security issues.  SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices.  Here's a few of the bad practices:

Bad Practices

  • you're relying on client-side input

  • you're not validating input

  • you're ignoring that input includes querystring, cookies, file and url paths

  • you're making security decisions on user input

  • you're not "sanitizing" (i.e. make safe) output

The key to input and data validation is to use a principle-based approach.  Here's some of the core princpiples and practices:

Good Practices

  • validate length, range, format and type

  • use whitelisting techniques over blacklisting

  • keep user input out of the control path

  • don't make security decision from client input

If you use principle-based approach, you don't have to chase every new threat or attack or its variation.  Here's a few resources that help get you started:

Comments (1)

  1. Kevin Lam says:

    Hey J.D.,

    Nice blog posting — I just published a blog posting (first of 3 part series) on input validation at  



    Kevin Lam

    Impacta LLC (

    "Risk management solutions working for you"

Skip to main content