Chapter 10. All Input Is Evil!

If someone you didn’t know came to your door and offered you something to eat, would you eat it? No, of course you wouldn’t. So why do so many applications accept data from strangers without first evaluating it? It’s safe to say that most security exploits involve the target application incorrectly checking the incoming data or in some cases not at all. So let me be clear about this: you should not trust data until the data is validated. Failure to do so will render your application vulnerable. Or, put another way: all input is evil until proven otherwise. That’s rule number one. Typically, the moment you forget this rule is the moment you are attacked.

Rule number two is: data must be validated as it crosses the ...

Get Writing Secure Code now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.