-
-
Notifications
You must be signed in to change notification settings - Fork 635
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add clarifications to the explanatory text
- Loading branch information
Showing
1 changed file
with
3 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4644b8e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some lines of text, but I struggle to put my finger on, what is the exact message it tries to deliver. If I read this it gives me an impression, that input validation is good extra defense in depth, but it is not always necessary - but this is not true.
Points to cover (not in this wording):
I would move line 3 to 1st.
4644b8e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also like to note that sometimes, input validation is a super powerful security measure. For example, when a piece of input should be an integer within a certain range, validating that a variable truly is an integer in that range provides excellent injection protection.
4644b8e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jmanico - it may work in practice as "dirty hack", but for me, this is fundamentally incorrect. To avoid injection, you need to handle output - handling the output must not rely on business logic rules and should be independent and built the way "I can handle correctly whatever the data comes".
4644b8e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with you mostly. For example not parameterizing a variable even if its an int can be a performance problem. So yea, I hear you Elar.
PS: This is how most web application firewalls work.