Validation Guidance Bundle

Malicious or unexpected input is the source of many stability and security problems in Web applications. When an application uses flawed or non-existent input validation, a user can supply input that causes the application to stop performing or to perform irregularly. Potentially even more damaging, an attacker can supply carefully crafted input that compromises the application by attempting SQL injection, cross-site scripting, and other injection attacks.
Any application that accepts input either from users or from other systems should ensure that the information is valid according to the type of data that is expected. An application can check that the input contains only characters in a particular range, is of a certain length, matches a particular format, or more. For example, when processing an order, the application can check that a customer's phone number has the correct number of digits or that a date falls within a particular range. If the validation fails, the application can reject the order and display an error message that explains what is wrong.
WebPageDisplayingValidationErrorMessages.png
Figure 1
Web page displaying validation error messages.

Validation has many applications. For example, you can use it to prevent the injection of malicious data by checking to see if a string is too long or if it contains illegal characters. You can also use validation to enforce business rules and to provide responses to user input. It is often important to validate data several times within the same application. For example, you may need to validate data at the UI layer to give immediate feedback when a user enters an invalid data value and validate it again at the service interface layer for security.
The purpose of this guidance bundle is to provide guidance on how to perform validation in Web applications to avoid input that might cause the application to stop performing, to perform irregularly, or, potentially even more damaging, input that compromises the application by attempting SQL injection, cross-site scripting, and other injection attacks.

What Is a Bundle?

A bundle is a small package of guidance that is focused around one technical concept. The primary purpose of a bundle is to allow users to quickly, conveniently, and easily learn and evaluate a concept. 
Although a bundle can contain any type of guidance, a bundle typically includes the following elements:
  • Source code: QuickStarts and related artifacts
  • Binaries: Application block binaries required by the QuickStarts
  • Written documentation: QuickStarts description and How-To topics

What Is in This Bundle?

The Validation Bundle contains the following elements:

Last edited Nov 8, 2007 at 11:47 AM by siacomuzzi, version 5

Comments

No comments yet.