Input Validation Isn’t For Wimps
There’s an axiom in the appsec community - “all input is
evil”. Every piece of data sent by the user may be teeming with virulent host
compromising attacks, and that you better validate ANY and ALL user-modifiable parameters
or your computer will explode in a mushroom cloud of buffer overflows.
There's a common misstep that people make when figuring
out how to fix these issues.
“Is there a method I can use to validate all my data coming
in?”
Well, it turns out that you can’t. Sorry. Each piece of data
needs to be validated separately.
Phone numbers need to look like phone numbers, usernames
need to look like usernames, uploaded images need to look like uploaded images,
and there isn’t any method out there that’s “one size fits all”.
Input validation isn’t for wimps.