Validation Guidance

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Malicious or unexpected input can cause many stability and security problems in Web applications. When an application either neglects to validate input or uses flawed validation techniques, a user can supply data that causes the application to stop performing or to perform irregularly. An even greater threat is that an attacker can use injection techniques such as SQL injection and cross-site scripting.

Any application that accepts input either from users or from other systems should ensure that the information is valid. An application, for example, can check that the input contains only characters in a particular range, is of a certain length or matches a particular format. For example, when processing an order, the application can check that a customer's phone number has the correct number of digits or that a date falls within a particular range. If the validation fails, the application can reject the order and display an error message that explains what is wrong. This is shown in Figure 1.


Figure 3

Web page displaying validation error messages

Validation has many uses. For example, it can prevent an attacker from injecting malicious data by checking to see if a string is too long or if it contains illegal characters. You can also use validation to enforce business rules and to provide responses to user input. It is often important to validate data several times within the same application. For example, you may need to validate data at the UI layer to give immediate feedback when a user enters an invalid data value and validate it again at the service interface layer for security.

The purpose of the validation guidance is to provide information on how to perform validation in Web applications.

What Is in This Guidance?

The Validation Guidance contains the following elements: