Update 269-knowledge_base--type_checking_and_length_checking--.md

blabla1337 · Mar 7, 2019 · fd1f007 · fd1f007
1 parent 95a3fa3
commit fd1f007
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/...kdown/knowledge_base/269-knowledge_base--type_checking_and_length_checking--.md b/...kdown/knowledge_base/269-knowledge_base--type_checking_and_length_checking--.md
@@ -20,3 +20,18 @@ the attack would effectively been mitigated.
 
 All the user supplied input that works outside of the intended opteration of the application
 should be rejected by the application.
+
+Syntax and Semantic Validity
+An application should check that data is both syntactically and semantically 
+valid (in that order) before using it in any way (including displaying it back to the user). 
+
+Syntax validity, means that the data is in the form that is expected. For example, an application
+may allow a user to select a four-digit “account ID” to perform some kind of operation. 
+The application should assume the user is entering a SQL injection payload, and should 
+check that the data entered by the user is exactly four digits in length, and consists only of numbers 
+(in addition to utilizing proper query parameterization).
+
+Semantic validity, includes only accepting input that is within an acceptable range for the
+given application functionality and context. For example, a start date must be before an end
+date when choosing date ranges.
+