Input Validation

In programming input validation is very important.  When user input is not validated malicious users can exploit security issues in computer applications.

For example, most recently PHP has had a buffer overflow in the file info functionality when checking elf files.  Additionally XML has had some serious security holes in 2014.  The first was heartblead and the second was a version of the billion laughs exploit.  An integer overflow was recently discovered in RPM which allowed arbitrary code execution.

Historically there have also been null byte security issues with user input files and file handling during program execution.

Ways to validate user input

1.) Regular Expressions

Regular expressions are a available to each programmer through api’s in the language.  What if all of your data was in the Latin char set by database restriction and a user input UTF-8 data.  This could result in a database overflow.  A regular expression could be used to remove and place an error message to the user which would mitigate the overflow.

2.) PHP Filter Functionality

PHP has the filter api.  This has two types of filters the validate and sanitize filters.  Calling these functions removes the null byte and validate or sanitize the input.  Built in functionality can process request variables in a web application.

3.) Data Type Casting

Data can be cast to the correct type, but can result in data loss due to truncation.  This should be used as a last resort, due to data loss.

Size Checking

In addition to type checking the programmer should also check the size of the data.  If this is not done applications can have issues related to program overflow errors. 

All data should be checked that it is in range with the bounds of the application, which in some cases could be restricted by the database.  Here is an example of an integer overflow in CVE-2014-7185.

Conclusion

Input validation is important for security and correct functioning of the application.  It can improve the user experience and prevent malicious users from using the application in a way other than it was intended.