Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Use Positive Input Validation


What to Do

Validate all user input by using white-list/positive input validation. White-list input validation means allowing only input that is explicitly defined as valid, as opposed to black-list input validation, which filters out known bad input.


Properly implemented input validation is effective at preventing SQL Injection and Cross-Site Scripting vulnerabilities.


To validate all user input using white-list input validation:

  1. Identify all entry points for user input. Make a list of all possible sources of user input in your application, such as form fields, POST/GET parameters, cookies, etc.
  2. Identify all types on input accepted by the application. For each source of user input on the list, define valid characters, length, format, and range (for numerical values).
  3. Define an input validation subsystem. Define a set of validator functions that should be used to validate each type of input handled by the application. Input should be validated on the server.
  4. Validate characters. Restrict the acceptable range of characters in text input by using regular expressions.
  5. Validate length. Add code to check that the length of the user input is valid.
  6. Validate format. If the input type has a specific pattern, such as a date or a phone number, add code to use regular expressions to make sure user input matches the input type specified by the application. Use regular expressions to enforce strong password requirements.
  7. Validate range. Restrict the acceptable range of numerical input by comparing the input to the maximum and minimum acceptable values.
  8. (Optional) Reject and respond to known bad input. This step does not add much actual security, but it is included here to let you know that such an option exists. The input validation subsystem may check for known attack strings and respond to these likely attacks by doing things like logging detailed user information, alerting the administrator, blocking the user's IP address for some time, and displaying an error message to the attacker informing that you are onto him and reminding him of the consequences.
  9. (Optional) Encode input. If the input is going to be displayed back through the web application, consider adding code to encode it to prevent Cross-Site Scripting attacks.



Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics