linenoise

Input validation.

Learn to live it.

A wise man once said "Trust but verify". This applies 100% to Web2.0, otherwise known as "read-write web". I see applications today, which let themselves be broken, by allowing users to perform arbitrary input. I happen to think that's obscene. The most recent example I saw, was a social networking and collaboration app,  which allowed users to edit contents of pages such that they won't display. Not deleting them, mind you, but simply adding certain content to them which made them unservable as far as the app was concerned. This goes to show that if you're going to decide to let users write whatever they want into your app, you better also make sure that whatever they write, won't break the app. It's a very simple concept known to better programmers as "input validation". And simple though it may seem, it's also almost entirely ignored. Why am I making this claim with such certainty? Well, because the first three of top ten web app security flaws, according to OWASP, are a direct result of ignoring input validation.

Posted at 02:31PM Feb 13, 2009 by Andrey Vyetchnost in Personal  |  Comments[0]