C validating data
If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself.
The user has no control over the price variable, however the code does not prevent a negative value from being specified for quantity.
In some cases its usage can obscure the real underlying weakness or otherwise hide chaining and composite relationships.
Some people use "input validation" as a general term that covers many different neutralization techniques for ensuring that input is appropriate, such as filtering, canonicalization, and escaping.
Alternatively, an attacker can provide very large negative values which will cause an integer overflow (CWE-190) and unexpected behavior will follow depending on how the values are treated in the remainder of the program.
Example 3The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage.
Others use the term in a more narrow context to simply mean "checking if an input conforms to expectations without changing it." If a programmer believes that an attacker cannot modify certain inputs, then the programmer might not perform any input validation at all.
For example, in web applications, many programmers believe that cookies and hidden form fields can not be modified from a web browser (CWE-472), although they can be altered using a proxy or a custom program.
Remember that such inputs may be obtained indirectly through API calls.This allows the analyst to focus on areas of the software in which input validation does not appear to be present.Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form: If this data were used in a SQL statement, it would treat the remainder of the statement as a comment.The comment could disable other security-related logic in the statement.
This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied.