Input Validation Isn't For Wimps


Aug 26, 2008

There's an axiom in the appsec community - "all input is evil". Every piece of data sent by the user may be teeming with virulent host compromising attacks, and that you better validate ANY and ALL user-modifiable parameters or your computer will explode in a mushroom cloud of buffer overflows.

There’s a common misstep that people make when figuring out how to fix these issues.

"Is there a method I can use to validate all my data coming in?"

Well, it turns out that you can't. Sorry. Each piece of data needs to be validated separately.

Phone numbers need to look like phone numbers, usernames need to look like usernames, uploaded images need to look like uploaded images, and there isn't any method out there that's "one size fits all".

Input validation isn't for wimps.