Menu
Using Hapi.JS Joi to validate inputs for an Express application. It's a boilerplate setup:
const Joi = require('joi');
const schema = Joi.object().keys({
username: Joi.string().alphanum().min(3).max(30).required(),
birthyear: Joi.number().integer().min(1900).max(2013),
}).with('username', 'birthyear');
app.use('/user/:id', function (req, res, next) {
Joi.validate({ username: 'abc', birthyear: 1994 }, schema, function
(err, value) {
if (err){
...
}
...
next()
}
});
})
QUESTION #1: What's the difference between validation and sanitization? And should I sanitize inputs for an Express API? It's for a mobile app, and not for a website, so I'm trying to understand if I should validate as well as sanitize.
QUESTION #2 How can I sanitize inputs with Joi or some other Express compatible library?
367
Validation checks if the input meets a set of criteria (such as a string contains no standalone single quotation marks). Sanitization modifies the input to ensure that it is valid (such as doubling single quotes). You would normally combine these two techniques to provide in-depth defense to your application.
Sadly, Joi doesn't provide sanitization out of the box but express-validator does.
Joi JS: Joi — awesome code validation for Node. js and Express - DEV Community.
Joi allows the developers to build the Javascript blueprints and make sure that the application accepts the accurately formatted data. Easy to implement and easy to learn. Widely accepted and well-known package for data validation. Supports validation based on the schema.
What's the difference between validation and sanitization?
Sanitization
Sanitizing Inputs means checking input before storing it in a database or using it for any other purpose to prevent malicious code injection.
A basic example would be SQL Injection which is to be taken in account if you want to store/verify data. Suppose you are testing login credentials submitted by user in your database. Your query might be something like
SELECT * FROM `users` WHERE `username`='$user' AND `pass`='$pass'
where $user and $pass are the username and password which user enters.
If you are not sanitizing user input and user enters something like this:
username -> admin' AND 1=1 OR 1='1
password -> pass
Your query would become:
SELECT * FROM `users` WHERE `username`='admin' AND 1=1 OR 1='1' AND `pass`='pass'
which on execution selects admin field and logs in user as admin.
But if you are sanitizing user input, your query would be:
SELECT * FROM `users` WHERE `username`='admin\' AND 1=1 OR 1=\'1' AND `pass`='pass'
which will not give the user access to any account until or unless username and password matches to a database entry.
Validation
Validation is the checking or verification of any data that comes, which helps verify the data has not been compromised or corrupted during transmission.
Like if you are taking mobile platform as an argument then you only want to allow Android or IOS as a value and other values are not valid.If some critical input is needed from the user that cannot be empty then checking it comes into validation.
But if the user gives ANDROID & IOS n input then sanitization will make that ANDROID & IOS. that will not allow the user to break the code and logic
should I sanitize inputs for an Express API?
Yes, you should always sanitize data as if you are exposing it as a rest API then the user can insert malicious data into the input of mobile app. It will be better to be ready for all the edge cases and user can do anything. (:wink:)
How can I sanitize inputs with Joi or some other Express compatible library?
With the Joi you can sanitize variable with addition options
validate(value, schema, {escapeHtml: true}, [callback])
136
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
