Do you validate your URL variables?

Question

When you're passing variables through your site using GET requests, do you validate (regular expressions, filters, etc.) them before you use them?

Say you have the URL http://www.example.com/i=45&p=custform. You know that "i" will always be an integer and "p" will always contain only letters and/or numbers. Is it worth the time to make sure that no one has attempted to manipulate the values and then resubmit the page?

Answer 1

Yes. Without a doubt. Never trust user input.

To improve the user experience, input fields can (and IMHO should) be validated on the client. This can pre-empt a round trip to the server that only leads to the same form and an error message.

However, input must always be validated on the server side since the user can just change the input data manually in the GET url or send crafted POST data.

In a worst case scenario you can end up with an SQL injection, or even worse, a XSS vulnerability.

Most frameworks already have some builtin way to clean the input, but even without this it's usually very easy to clean the input using a combination of regular exceptions and lookup tables.

• Say you know it's an integer, use int.Parse or match it against the regex "^\d+$".
• If it's a string and the choices are limited, make a dictionary and run the string through it. If you don't get a match change the string to a default.
• If it's a user specified string, match it against a strict regex like "^\w+$"

Answer 2

As with any user input it is extremely important to check to make sure it is what you expect it is. So yes!

Answer 3

Yes, yes, and thrice yes.

Many web frameworks will do this for you of course, e.g., Struts 2.

Answer 4

One important reason is to check for sql injection. So yes, always sanitize user input.

Answer 5

Yes, check them as thoroughly as you can. In PHP I always check the types (IsInt(i), IsString(p)).

Answer 6

not just what the others are saying. Imagine a querystring variable called nc, which can be seen to have values of 10, 50 and 100 when the user selects 10, 50 and 100 results per page respectively. Now imagine someone changing this to 50000. If you are just checking that to be an integer, you will be showing 50000 results per page, affecting your pageviews, server loads, script times and so on. Plus this could be your entire database. When you have such rules (10, 50 or 100 results per page), you should additionaly check to see if the value of nr is 10, 50 or 100 only, and if not, set it to a default. This can simply be a min(nc, 100), so it will work if nc is changed to 25, 75 and so on, but will default to 100 if it sees anything above 100.

Answer 7

I want to stress how important this is. I know the first answer discussed SQL Injection and XSS Vulnerabilities. The latest rave in SQL Injection is passing a binary encoded SQL statement in query strings, which if it finds a SQL injection hole, it will add a http://reallybadsite.com'/> to every text field in your database.

As web developers we have to validate all input, and clean all the output.

Remember a hacker isn't going to use IE to compromise your site, so you can't rely on any validation in the web.