Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Parameter Validation Best Practices

Imagine you have an application which is some kind of front-end to all your business logic. This front-end has a lot of DLLs upon which it depends, and the methods in those DLLs may call each other repeatedly upon a single execution of a given method in the front-end. If the users of your application do not directly access those DLLs, should you...

1) Risk a (small) performance hit and validate parameters in each of those methods, even if you can end up validating the same parameters some 5 times; or

2) Risk unexpected behaviour and assume that, as you validate input parameters, all the other possible parameters passed to and from your internal code are valid (for example, neither null nor empty)?

Edit: Just to give an example, suppose you have a Regex RegexA and a method

internal bool Matches(string expression)
{
    return RegexA.IsMatch(expression);
}

IsMatch will throw an exception on a null parameter, but not on the empty string. If you know beforehand that an empty string will never be a match to that Regex, should you use if (String.IsNullOrEmpty(expression)) before, even knowing that it may be validated for nullity inside the IsMatch framework method? In this case you are clearly repeating a validation, but is it better to repeat it or to risk?

like image 785
User Avatar asked Jun 28 '11 16:06

User


People also ask

What are the 5 types of validation?

The following are the common Data Validation Types:Format Check. Consistency Check. Uniqueness Check. Presence Check.

How do you validate input parameters?

You can define your own validation rules for validating different request parameters. Input validation can be performed for various kinds of inputs, such as parameter name, parameter value, cookie name, cookie value, and so on. Sterling Field Sales supports regular expression based validation.

Which is best practice in input validation?

Just in time validations One of the best practices in form validation is to inform your users when they make an error so they can immediately verify and correct it before they take the next step. This way, you avoid error messages in the input field but also helps users build their confidence in what they are doing.


2 Answers

Usually parameter checks are very cheap, even if called thousands of times. For example test if a value is null, a string or Collection is emtpy a number is in a given range.

But beware that checks may be expensive, so think twice: Evaluating a regex on a large string, checking if a file exists, checking that all elements in a collection meets a certain criteria.

I would also only recommend checking only in public or protected methods. Note that all public methods with unchecked parameters are potential risks!

EDIT/another thought: If a method does not use the parameters but is just passing it to another method then you may also omit the checking. Only the method which is actually using these parameters for itself should do the checking.

This is because if the requirements of the parameters change you need to change the validations in multiple places, risking inconsistency.

like image 70
codymanix Avatar answered Sep 19 '22 00:09

codymanix


As an author of a library, you cannot assume that the consumers have done proper validation of inputs, so you as a library author would want to ensure the arguments are valid before going to work with them.

As a consumer of a library, if you know what inputs are going to cause the library to fail, why would you pass those inputs to that library? Validate against them so that you can perhaps prompt your user for better inputs or otherwise cancel whatever process you are in.

The fact that you might be the author of both the library and the consumer is not particularly relevant, in my opinion, as this relationship may very well change.

like image 35
Anthony Pegram Avatar answered Sep 22 '22 00:09

Anthony Pegram