Input Validation Strategies
Input Validation Strategies
While parameterized queries prevent injection, input validation adds defense depth and improves application robustness:
// Comprehensive input validation in Node.js
const validator = require('validator');
function validateUserInput(input) {
// Whitelist validation for username
if (!/^[a-zA-Z0-9_]{3,20}$/.test(input.username)) {
throw new Error('Invalid username format');
}
// Email validation
if (!validator.isEmail(input.email)) {
throw new Error('Invalid email address');
}
// Numeric ID validation
if (!validator.isInt(input.userId, { min: 1 })) {
throw new Error('Invalid user ID');
}
// SQL keyword detection (defense in depth)
const sqlKeywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'DROP', 'UNION'];
const upperInput = input.comment.toUpperCase();
if (sqlKeywords.some(keyword => upperInput.includes(keyword))) {
throw new Error('Potentially malicious input detected');
}
return true;
}