Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should the function or the caller be responsible for input validation?

I'm doing a security audit on a fairly large php application and was wondering where I should include my user-input validation.

Should I validate the data, then send the clean data off to the back-end functions or should I rely on each function to do it's own validation? Or even both?

Is there any standard or best-practice for this sort of thing?

Currently the app does both inconsistently and I'll like to make things more consistent.

like image 255
haudenschilt Avatar asked Jun 07 '10 19:06

haudenschilt


2 Answers

Both is the better answer. Data validation should happen in every function that will be handling the data to avoid the problem of Hope Driven Development (HDD)

like image 192
MANCHUCK Avatar answered Sep 30 '22 10:09

MANCHUCK


You should definitely validate the data from the outside as soon as possible. Depending on the architecture, backend validation inside the responsible functions can be a second step, but don't depend on backend validation but validate the data when it comes in to your application.

The pros with validation inside functions as a complement to the previous validation is that it's easier (and safer) to maintain the system because (sloppier) developers after you can't break the application. If you have an application with plugin support, e.g. for third party plugins, safe functions is a must also.

like image 25
Emil Vikström Avatar answered Sep 30 '22 11:09

Emil Vikström