The web works very easy right? Input -> Process -> Output If your Input has already an invalid state, processing and outputing data will be unpredictable. This is why input validation as strict as possible matters.

1. SET BOUNDARIES - FIND PEACE
Input validation

2. Hi, I am Michi!
Head of Code at
@michilehr

3. How does the web work ?

4. Input
Process
Output

6. InvalidArgumentException
"" is not a valid BookReference.

7. TypeError
Support::setComment(): Argument #1 ($comment) must be of type
string, null given, called in ../SupportController.php on line 25

8. Uncaught Exception
Failed to parse time string (2024-4-66) at position 8 (6)

9. An exception occurred while executing a query:
SQLSTATE[22001]: String data, right truncated:
1406 Data too long for column 'text' at row 1

10. Input
Process
Output

12. You know the boundaries of your code!

13. ● reduce unpredictable behavior
● less errors
● reduce security risks (XSS…)
● better UX
Why validation?

14. ● Data type validators (int, string..)
● Minimum and maximum value range check for numerical
parameters and dates
● Minimum and maximum length check for strings
● Array of allowed values for small sets of string
parameters
● Regular expressions for any other structured data
covering
● Validation against JSON Schema and XML Schema
What and how to validate?

15. OWASP Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

16. It is not just the backend

18. ● Sanitze query param
● Allow list of domains or whole URLs
● CSP
What and how to secure?

19. Add extra layer of security to mitigate XSS
and data injection attacks
Content Security Policy (CSP)

20. Thank you for your time!
Questions?
Feedback?
Notes?