One of our developers has an opinion that all client data should be validated be

Question

One of our developers has an opinion that all client data should be validated before using it. Even non-input data.

Say, our web service has an internal protection against database injections.

Examples: machine generated codes, various integers, indexes, calculated values.

We use ORM (Django). As I know there is a next approach in Django: validate only values entered as primary strings (usually via web forms).

For example: is there any reason to create validation rules to validate numbers if we know that there is 500th error (if the data are wrong) in the beginning of handling request? I think no. But probably I'm wrong.

Do my position requires to be changed?

Explanation / Answer

You should ALWAYS validate ANY data that is inserted to your database, either before or after it is actually inserted into your database program. Preferably both, if practical.

Of course, we should write software correctly the first time, everyone should pay their taxes on time, and no one should ever cheat on their spouse. Just because something's a good rule doesn't mean you need to blindly follow it.

Your other developer is right, in that client data should be validated, if it's given as an XML or JSON or CSV file or as a database vendor's binary backup format. Some of these will make the validation easier (XML + binary backup), but you should always have a plan for "what if this data is corrupted or given entirely wrongly."

At the very least:

For bonus credit, teach whomever's sending you data how to run a CRC on a file, and have them provide that via separate cover.

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.