Sanitize user input: Difference between revisions

Line 31:

Validating is making sure the the input matches some predetermined format, usually with some sort of regular expression. For names, you probably want to allow a fixed maximum (and minimum!) number of: any word or digit character, space and period characters and possibly some small selection of non-word characters. It is a careful balance between too restrictive and too permissive. You need to avoid falling into pre-conceived assumptions about:

[https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ names], [https://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time time], [https://medium.com/gender-2-0/falsehoods-programmers-believe-about-gender-f9a3512b4c9c gender]... the list goes on.

[https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ names], [https://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time time], [https://medium.com/gender-2-0/falsehoods-programmers-believe-about-gender-f9a3512b4c9c gender], [https://www.mjt.me.uk/posts/falsehoods-programmers-believe-about-addresses/ addresses], [https://github.com/google/libphonenumber/blob/master/FALSEHOODS.md phone numbers]... the list goes on.

When passing a user command to the operating system, you probably want to use whitelisting. Only a very few commands from a predetermined list are allowed to be used.