Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where does input validation belong in an MVC application?

Tags:

I have a MVC application that receives an input from a form.
This is a login form so the only validation that is necessary is to check whether the input is non-empty.
Right now before I pass it to the model I validate it in the controller.
Is this a best practice or not? Does it belong to the model?

like image 737
the_drow Avatar asked Jan 15 '10 00:01

the_drow


People also ask

Where should input validation occur?

In general, it is best to perform input validation on both the client side and server side. Client-side input validation can help reduce server load and can prevent malicious users from submitting invalid data.

What is input validation in web application?

Input validation strategies It is always recommended to prevent attacks as early as possible in the processing of the user's (attacker's) request. Input validation can be used to detect unauthorized input before it is processed by the application.

What is input validation used for in application development?

Input validation reduces the attack surface of applications and can sometimes make attacks more difficult against an application. Input validation is a technique that provides security to certain forms of data, specific to certain attacks and cannot be reliably applied as a general security rule.


1 Answers

I don't think there's an official best practice limiting validation to any single part of the MVC pattern. For example, your view can (and should) do some up-front validation using Javascript. Your controller should also offer the same types of validation, as well as more business-logic related validation. The model can also offer forms of validation, i.e., setters not allowing null values.

There's an interesting discussion of this at joelonsoftware.

like image 140
Kaleb Brasee Avatar answered Oct 05 '22 08:10

Kaleb Brasee