An important component of any application or website that facilitates data exchange between the interface and the user, is trust. Whenever an online application or website allows a user to submit information, there is always the potential that the information submitted could be malicious, corrupt, or otherwise make the application or website behave unexpectedly. Conversely, when an end user consumes data from an online application or website, this too comes with its own associated risks. In order to limit the exposure in both these cases, correct data validation and sanitisation ensures that the data being received by the application can be trusted.
Data validation checks that the information entered into an input field matches what the field is expected to contain. For example, birthdates are DD-MM-YYYY and should only contains numbers. Data sanitisation ensures that this input data does not contain code of any form. Validating and sanitising user input is carried out to ensure that any data entering an information system can be trusted. Without sufficient steps, devices and networks can be left open to attacks, such as Cross-Site Scripting (XSS) and SQL injection.
How is validation and sanitisation performed?
To prevent the injection of unwanted data, fields that require users’ input must accept or reject the input based upon a defined set of rules. A variety of tools and techniques can be used to accomplish this dependant on the systems and programs in use. This can include defining and enforcing a rigid, expected format for all input fields. For example, all dates must be in DD-MM-YYYY format and only numbers that match the expected range (i.e. 01-12 for months of the year) can be used.
To ensure the security of networks and devices it is imperative that they only accept the input they are designed to receive. Failure to do so can result in anything from applications freezing or crashing, to network compromise or worse. While data validation and sanitisation should not be used as the only form of defence, it is a key method to reduce the impact and severity of attacks. These preventative measures help reduce the vulnerability of systems, and the risk of compromise.
For more information and advice about input validation and sanitisation and its impact on your applications, please get in touch and we’ll be glad to assist.