Data validation

Data validation in software engineering refers to the examination of the inputs from the user or external data sources. Because missing or unusable entries can lead to failure of the program, these values ​​must be validated.

Validation as a plausibility check

Validation is understood as a test for plausibility (English Sanity Check), in which a specific value is checked to see if it belongs to a particular data type or is within a predetermined range of values ​​or a specified set of values ​​. Many bugs and security problems are due to lack of plausibility of input values ​​.

For the validation of the golden rule: never trust the user, never trust the users ' (also: Never trust a user input, never trust user input '). Validation values ​​can take place at different points of the lifetime of a single package:

  • In the development process: While the program is created, should the individual functions and modules called unit tests are regularly subjected to review the source code coverage ( Code Coverage Analysis) to correct behavior.
  • In the translation of the program: Some types of validation can already be done by the compiler, in particular the type test.
  • Due to the runtime environment: Many programming languages ​​have a runtime system that detects certain types of errors independently; in particular the access to non-existent objects is recognized by many modern systems.
  • At run time: All functions and modules should be implemented defensively, so do not trust that they are used correctly. This means they should when they are used with incorrect parameters, immediately report an error instead of complicated sequence error to risk (as evidenced by the rule of thumb: Fail Fast, faster termination '). Is suitable for this, especially the concept of exception handling. Incorrect parameter values ​​that the programmer's opinion " actually may never happen ," Assertions are used.
  • User input: here, the principle is " which can be determined, it is also checked ." For invalid inputs, the error handling is started, an error message is rejected and processing. In dubious entries, a warning or a request for review by the user can be issued.

Areas of application

  • The entries in online forms should always be validated in order to avoid security risks.
  • In XML data elements with respect to a pattern to be checked. If this check fails, the XML data is considered not valid ( well-formed ).

Example of how to validate user input in PHP

If input from a user not validated, it can come in the further course of the program errors. Here is an example of a PHP script that receives the form data via HTTP POST and the first number divided by the second:

$ num1 = $ _POST [' num1 ']; $ num2 = $ _POST [' number2 ']; echo $ num1 / $ num2; Here the developer has not considered some possible sources of error:

  • It is an unexpected result when the user selects one of the two text fields have not been filled
  • Likewise, the user can only insert numbers into the text box, because PHP string possibly misinterpreted due to its dynamic typing
  • If the value in num2 '0 ', suggests the division fails ( dividing by 0 is not possible)

Under aspects of the examination of these points have to be avoided in order to allow error-free operation:

If ( isset ($ _POST [' num1 '] ) && isset ($ _POST [' number2 '] )) { / / both text boxes are filled in at all?      $ num1 = $ _POST [' num1 '];      $ num2 = $ _POST [' number2 '];        if ( is_numeric ($ num1 ) && is_numeric ($ num2 )) { / / If both numerical information?          if ($ num2! = 0) { / / If number2 equal to 0?              echo $ num1 / $ num2;          Else { }              echo ' Can not divide by 0 ';          }      Else { }          echo ' Both fields must contain only numbers ";      } Else { }      echo ' Please fill in both text fields '; } see also