Input Validation Principles and Practices

If you use a principle-based approach, you can get rid of classes of security issues.  SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices.  Here's a few of the bad practices:

Bad Practices

• you're relying on client-side input
• you're not validating input
• you're ignoring that input includes querystring, cookies, file and url paths
• you're making security decisions on user input
• you're not "sanitizing" (i.e. make safe) output

The key to input and data validation is to use a principle-based approach.  Here's some of the core princpiples and practices:

Good Practices

• validate length, range, format and type
• use whitelisting techniques over blacklisting
• keep user input out of the control path
• don't make security decision from client input

If you use principle-based approach, you don't have to chase every new threat or attack or its variation.  Here's a few resources that help get you started:

• How To: Protect From Injection Attacks in ASP.NET
• How To: Prevent Cross-Site Scripting in ASP.NET
• How To: Protect From SQL Injection in ASP.NET
• Design Guidelines for Web Applications (see "Input Validation" section)