I'm doing a security audit on a fairly large php application and was wondering where I should include my user-input validation.
Should I validate the data, then send the clean data off to the back-end functions or should I rely on each function to do it's own validation? Or even both?
Is there any standard or best-practice for this sort of thing?
Currently the app does both inconsistently and I'll like to make things more consistent.
Both is the better answer. Data validation should happen in every function that will be handling the data to avoid the problem of Hope Driven Development (HDD)
You should definitely validate the data from the outside as soon as possible. Depending on the architecture, backend validation inside the responsible functions can be a second step, but don't depend on backend validation but validate the data when it comes in to your application.
The pros with validation inside functions as a complement to the previous validation is that it's easier (and safer) to maintain the system because (sloppier) developers after you can't break the application. If you have an application with plugin support, e.g. for third party plugins, safe functions is a must also.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With