Data validation

Data validation in software engineering refers to the checking of user inputs, for example. Because missing or unusable entries can lead to serious errors within a program, these values should be validated before being transferred to a program .

Validation as a plausibility check

Validation is understood as a test for plausibility ( English sanity check ), in which a specific value is checked to see whether it belongs to a certain data type or lies in a specified range of values or a specified set of values. Many program errors and security problems are due to a lack of plausibility checks on input values.

For validating the golden rule: never trust the user , never trust the users ' (also: Never trust a user input , never trust user input' ). The validation of values can take place at different points in the life of a software :

In the development process: While the program is being developed, the individual functions and modules should be regularly subjected to so-called unit tests , which check the source code for correct behavior across the board ( Code Coverage Analysis ).

When compiling the program: Some types of validation can already be carried out by the compiler , in particular type safety .

Through the runtime environment : Many programming languages have a runtime system that automatically detects certain types of errors; In particular, access to non-existent objects is recognized by many modern systems.

At runtime : All functions and modules should be implemented defensively, i.e. not rely on them being used correctly. This means that if they are used with incorrect parameters, they should report an error immediately instead of risking complicated consequential errors (the rule of thumb applies: fail-fast , 'quick termination' ). The exception handling concept is particularly suitable for this . Assertions are used for incorrect parameter values, which, in the programmer's opinion, “should never actually occur” .

For user entries: the principle "what can be checked is checked" applies here. In the case of invalid entries, error handling is started, an error message is output and processing is rejected. In the case of doubtful entries, a warning or a request for verification by the user can be issued.

Areas of application

The entries of online forms should always be validated in order to rule out security risks.
In the case of XML data, elements are checked against a schema . If this check fails, the XML data is considered to be invalid ( well-formed ).

Example of validating user input in PHP

If entries by a user are not validated, errors can occur in the further course of the program. Here is an example of a PHP script that receives form data via HTTP POST and divides the first number by the second:

$zahl1 = $_POST['zahl1'];
$zahl2 = $_POST['zahl2'];
echo $zahl1 / $zahl2;

Here the developer has not considered some possible sources of error:

An unexpected result occurs if the user has not completed one of the two text fields

The user is also only allowed to insert numbers in the text field, since PHP may misinterpret the string due to its dynamic typing

If the value is zahl2'0', the division fails (dividing by 0 not possible)

In terms of the test, these points must be excluded in order to enable error-free work:

if(isset($_POST['zahl1']) && isset($_POST['zahl2'])) { // Sind überhaupt beide Textfelder ausgefüllt?
    $zahl1 = $_POST['zahl1'];
    $zahl2 = $_POST['zahl2'];

    if(is_numeric($zahl1) && is_numeric($zahl2)) { // Sind beide Angaben numerisch?
        if($zahl2 != 0) {  // Ist zahl2 ungleich 0 ?
            echo $zahl1 / $zahl2;
        } else {
            echo 'Teilen durch 0 unmöglich!';
        }
    } else {
        echo 'Beide Felder dürfen nur Zahlen enthalten';
    }
} else {
    echo 'Bitte füllen Sie beide Textfelder aus';
}

Example of orthogonal validation in Perl

In order to reduce the programming effort and to make the code clearer, the tests and the resulting error messages / exceptions can be outsourced.

Perl code without validation:

sub division {
  my $zahl1 = shift;
  my $zahl2 = shift;

  return $zahl1 / $zahl2;
}

Using a validation framework, here Scalar :: Validation, the code only needs to be slightly expanded for a full validation:

use MyValidation;

sub division {
  my $zahl1 = validate (zahl1 => Zahl        => shift);
  my $zahl2 = validate (zahl2 => ZahlNotZero => shift);

  return $zahl1 / $zahl2;
}

Is zahl1a string, or a reference undefand not a number or zahl2 == 0the rules specified (create rules ) Zahlor ZahlNotZeroan exemption / error message. What exactly happens can be configured in the framework and does not need to interest the developer here. It is only important that the further program returnsequence is stopped before the instruction.

The rules can be defined and tested anywhere; B. also come from a database or only be defined at runtime: The rule Zahlcould stand for an integer , a floating point number , a rational number or a complex number . This is not specified here.

Web links

Input checks in PHP
Daniel Sentker: The right protection against cross-site scripting with PHP. Shift Blog, February 3, 2011, archived from the original on April 4, 2015 ; accessed on February 22, 2017 (example of sources of danger from non-validated inputs).

Individual evidence

^ Scalar :: Validation

[1] Scalar :: Validation