Validating inputs in College chat rooms for sexual talks
Validating input is intended to prevent the entry of unsafe data into the web application.
It has a significant stumbling block in that validation is usually performed to check if data is safe for its first intended use.
In that new context, some of the characters we allow would still be dangerous - our name might actually be a carefully crafted string intended to perform an SQL Injection attack.
The outcome of this is that input validation is inherently unreliable.
In suggesting that users are untrusted, we imply that everything else is trusted. Users are just the most obvious untrusted source of input since they are known strangers over which we have no control.
Input validation is both the most fundamental defense that a web application relies upon and the most unreliable.
The common phrase you will have seen in PHP is to never trust “user input”.
This is one of those compartmentalising by trust value issues I mentioned.
The problem with accepting a php:// URL is that it can be passed to PHP functions which expect to retrieve a remote HTTP URL and not to return data from executing PHP (via the PHP wrapper).As with any security oriented library, be sure to personally review your preferred library for flaws and limitations.It’s also worth bearing in mind that PHP is not above some bizarre arguably unsafe behaviours.You should bear these in mind whenever implementing custom validators or adopting a 3rd party validation library.When it comes to 3rd party validators, also consider that these tend to be general in nature and most likely omit key specific validation routines your web application will require.