Weak Input Validation

Nearly every injection attack — SQLi, XSS, command injection, path traversal — is made worse (or possible) by missing or insufficient input validation. Validating inputs early and strictly limits the attack surface for every other vulnerability class.

Client-side validation is never sufficient. Any user can bypass it with browser dev tools, curl, or a proxy. Always validate on the server:

// Client-side only — trivially bypassed
if (!/^[a-z]+$/.test(username)) {
  alert("Invalid username");
  return; // attacker just sends the request directly, skipping this
}

Allowlists define exactly what is permitted — everything else is rejected. This is far more secure than blocklists (blacklists), which try to enumerate all bad inputs. Blocklists are always incomplete.

import re

# BLOCKLIST — easy to bypass (what about %00, unicode, encoding tricks?)
BAD_CHARS = ['<', '>', '"', "'", ';', '--']
if any(c in username for c in BAD_CHARS):
    abort(400)

# ALLOWLIST — explicit, hard to bypass
if not re.fullmatch(r'[a-zA-Z0-9_-]{3,32}', username):
    abort(400, "Username must be 3-32 characters: letters, numbers, _ or -")

Use allowlist regex for all user-facing identifiers: usernames, filenames, IDs, codes, tokens.

Beyond character allowlists, validate the type, length, and business constraints of every input:

from pydantic import BaseModel, Field, EmailStr

class CreateUserRequest(BaseModel):
    username: str = Field(min_length=3, max_length=32, pattern=r'^[a-zA-Z0-9_-]+$')
    email: EmailStr
    age: int = Field(ge=13, le=120)  # must be between 13 and 120

# Pydantic raises ValidationError automatically — no manual checks needed

Libraries like Pydantic (Python), Zod (TypeScript), Joi (Node.js), and FluentValidation (C#) make it easy to declare validation schemas that are enforced consistently across your application. Prefer library validation over manual string checks — it is harder to forget edge cases.