WebSecurity
Home About Learn Threats Best Practices Resources Contact

Input Validation & Sanitization

Learn how to properly validate and sanitize user inputs to prevent injection attacks and ensure data integrity.

Explore Input Validation

What is Input Validation?

Input validation is the process of testing input received by an application for compliance with a set of criteria before allowing it to be processed. It ensures that only properly formatted data enters the application workflow, preventing malformed data from causing harm.

Proper input validation is the first line of defense against many web application vulnerabilities, including injection attacks, cross-site scripting (XSS), and buffer overflows.

Input Validation Techniques

Whitelist Validation

Only allow input that matches a predefined set of acceptable values or patterns. More secure than blacklisting.

  • Define allowed characters
  • Specify acceptable formats
  • Reject everything else

Blacklist Validation

Reject input that matches known dangerous patterns. Less secure as new attack vectors may be missed.

  • Block known malicious patterns
  • Easier to implement initially
  • Requires constant updates

Data Type Validation

Ensure input matches expected data types (integers, strings, dates, etc.) with proper range and format checks.

  • Type checking
  • Range validation
  • Format verification

Context-Aware Validation

Validate input based on the context where it will be used (HTML, SQL, JavaScript, etc.) with appropriate encoding.

  • HTML context encoding
  • SQL parameterization
  • JavaScript escaping

Input Validation Best Practices

Validate on Server-Side

Always perform validation on the server-side, even if client-side validation is implemented. Client-side validation can be bypassed and should only be used for user experience improvements.

Use Whitelist Approach

Prefer whitelist validation over blacklist validation. Define what is allowed rather than trying to block what is known to be dangerous, as new attack vectors constantly emerge.

Validate for Length and Size

Implement reasonable length restrictions and size limits for all input fields to prevent buffer overflow attacks and resource exhaustion.

Use Context-Appropriate Encoding

Apply proper output encoding based on the context where the data will be used (HTML, JavaScript, SQL, etc.) to prevent injection attacks.

Implement Input Sanitization

Remove or encode potentially dangerous characters from input while preserving data integrity. Use established libraries rather than custom implementations.

Common Input Validation Vulnerabilities

SQL Injection

Critical

Attackers inject malicious SQL code through input fields to manipulate database queries.

Mitigation: Parameterized queries, input validation

Cross-Site Scripting (XSS)

High

Malicious scripts are injected into web pages viewed by other users.

Mitigation: Output encoding, Content Security Policy

Command Injection

Critical

Attackers execute arbitrary commands on the host operating system.

Mitigation: Input validation, avoid shell commands

Buffer Overflow

High

Writing more data to a buffer than it can hold, potentially executing arbitrary code.

Mitigation: Input length validation, bounds checking

Implementation Examples

Input Validation (Node.js)

                            
const Joi = require('joi');

// Define validation schema
const userSchema = Joi.object({
    username: Joi.string()
        .alphanum()
        .min(3)
        .max(30)
        .required(),
    
    email: Joi.string()
        .email()
        .required(),
    
    password: Joi.string()
        .pattern(new RegExp('^[a-zA-Z0-9]{8,30}$'))
        .required(),
    
    age: Joi.number()
        .integer()
        .min(18)
        .max(120)
});

// Validate input
const { error, value } = userSchema.validate(userInput);
if (error) {
    throw new Error(`Validation error: ${error.details[0].message}`);
}

SQL Injection Prevention

                            
// VULNERABLE: String concatenation
const query = `SELECT * FROM users WHERE username = '${username}'`;

// SECURE: Parameterized queries
const query = 'SELECT * FROM users WHERE username = ?';
db.execute(query, [username]);

// SECURE: Using ORM
const user = await User.findOne({
    where: { username: username }
});

// SECURE: Stored procedures
const query = 'CALL getUserByUsername(?)';
db.execute(query, [username]);

Additional Resources

OWASP Input Validation

Comprehensive guide to input validation techniques and best practices.

Visit Resource →

Input Validation Cheatsheet

Quick reference for implementing input validation across different contexts.

Visit Resource →