Validation ¶
Validation is the verification of application data to ensure it fits a set of specifications that mitigate the possibility of an attack.
In validation, use a whitelist as opposed to a blacklist. For example, instead of disallowing .exe and .bat file extensions, mandate that the file extension be .txt or .doc.
Validating With Regular Expressions (regex)¶
When validating with regex, be sure to use the start and end anchors (^ and $) to ensure the entire string matches. After validating a piece of data with a regex, it may be useful to parse it further or convert it to a native datatype to validate it further. For example, convert a string to an integer to do an "in range" check, and convert a date string to a date object to make sure the day of the week is expected.
Validating Numbers¶
Ask yourself these questions and try to incorporate the answers into your validation scheme:
- Should this number be signed or unsigned?
- What are the minimum and maximum values to accept?
After validating the input with a regex, like ^[0-9]+$ for unsigned integers, convert the str to the correct numeric type and perform the numeric comparisons.
-
Wiki content is available under a Creative Commons 3.0 License.
