Input Validation

Topics to be covered...
• What is Input Validation?
• Why Input Validation?
• Input Validation Approaches
Input Validation
• Process of inspecting and verifying data entered into a system to ensure its
accuracy, safety, and reliability
• The primary goal of input validation is to prevent potentially harmful or erroneous
data from causing issues in an application.
• It plays a pivotal role in enhancing security, data integrity, and the overall user
experience
Why Input Validation Matters:
• Data Quality: Validating input data ensures that the data stored in your system is
accurate and meaningful. It prevents errors that can arise from incorrect or
unexpected data.

• User Experience: Validating input also enhances the user experience by providing
immediate feedback to users about the correctness of their input, reducing
frustration and errors.

• Security: One of the primary reasons for input validation is security. Malicious users
can exploit vulnerabilities in input fields to launch attacks like SQL injection, cross-
site scripting (XSS), and more. Proper input validation can mitigate these risks.
Input Validation Approaches
• Two main approaches to input validation:

1. Client-Side Input Validation

2. Server-Side Input Validation

Client-side Input Validation
• It occurs within the user's web browser or the client application before
data is sent to the server

• It is typically implemented using JavaScript or other client-side

scripting languages
Client-side Input Validation
Pros:

• Immediate Feedback: Client-side validation provides immediate feedback to users

as they fill out forms, improving the user experience by reducing the need to submit
the form to discover errors

• Reduced Server Load: Validating input on the client side reduces the amount of
invalid data sent to the server, which can help reduce server load and save
bandwidth

• Faster Response: Because errors are caught on the client side, users receive
quicker responses, making the application feel more responsive
Client-side Input Validation
Cons:

• Security Risk: Relying solely on client-side validation is a security risk. Malicious

users can bypass or disable JavaScript, allowing them to send malicious data to the
server.

• Data Integrity: Client-side validation does not guarantee data integrity, as attackers
can manipulate the client-side code or use tools to send malicious requests.

• Duplication of Effort: Implementing validation on both the client and server sides
can result in duplicated code and maintenance efforts, making it harder to ensure
consistency.
Client-side Input Validation
Example - Input Validation using HTML Tags

<form action="" method="post">

Name: <input type=”text” name=”name” maxlength=”20”>
Mobile:<input type=”text” name=”mobile” minlength=”10” maxlength=”10”>
Email:<input type=”email” name=”email”>

<input type="submit" name="submit" value="Submit"> <br>

</form>
Client-side Input Validation
Example - Input Validation using Java Script
<form name="myForm" onsubmit="return validateForm()" method="post">
Age: <input type="text" name="age">
<input type="submit" value="Submit">
</form>
<script>
function validateForm() {
var age = document.forms["myForm"]["age"].value;
if (isNaN(age) || age <= 0) {
alert("Age must be a positive number.");
return false;
}
}
</script>
Server-side Input Validation
• It is performed on the server after receiving data from the client
• It is considered the last line of defense and is critical for security and
data integrity
Server-side Input Validation
Pros:

• Security: Server-side validation is more secure because it cannot be bypassed by

users disabling JavaScript or manipulating client-side code

• Data Integrity: It ensures that data stored in the database is accurate and
meaningful, preventing issues stemming from invalid or malicious input

• Consistency: Server-side validation enforces consistent validation rules across all

clients, ensuring that no invalid data enters the system
Server-side Input Validation
Cons:

• Delayed Feedback: Errors are detected after the client submits the data, leading to
a potentially less user-friendly experience compared to immediate client-side
feedback

• Increased Server Load: All data, including invalid data, is sent to the server, which
can increase server load and use more bandwidth, particularly if the application has
a large user base

• Response Time: The response time for validation errors is dependent on network
latency and server processing time, potentially making the user experience feel less
responsive
Server-side Input Validation
Example - Input Validation using PHP
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Email: <input type="text" name="email">
<input type="submit" value="Submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$email = $_POST["email"];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "<p>Invalid email address. Please enter a valid email.</p>";
} else {
echo "<p>Email address: " . $email . "</p>";
}
}
?>
Input Validation - Best Approach
• In practice, the best approach is to implement a combination of both
client-side and server-side input validation
• Client-side validation improves the user experience by catching errors
early, while server-side validation provides essential security and data
integrity checks
• This layered approach offers a balance between user-friendliness
and security, ensuring that your application is robust and user-friendly
while minimizing security risks
?