Web Service Input Validation

22 בפברואר 2007

תגובה אחת

I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind – Video, Part I

Web Services is not different from ASPX – accept parameters and process it. So the strategy for input validation should be the same as with ASPX – each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows:

from http://msdn2.microsoft.com/en-us/library/ms998375.aspx#pagquestionlist0001_input1


public decimal RetrieveAccountBalance(string accountId)

   if (!Regex.IsMatch(accountId,@"^[a-zA-Z'.\s]{1,40}$")) 


      // AccountID does not match expression 

      // do not process request 



Common regex patterns are here: http://msdn2.microsoft.com/en-us/library/ms998267.aspx

It is more complicated when dealing with complex types as input parameters – will save it for the next post



הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. שדות החובה מסומנים *

תגובה אחת

  1. Kevin Lam27 באפריל 2007 ב 10:19

    Hey Alik,

    I just posted a blog about different approaches to input validation (1st in a series of 3) at http://www.buildingsecurecode.com/2007/04/26/approaches-to-input-validation/.



    Kevin Lam
    Impacta LLC (http://www.impactalabs.com)

    "Risk management solutions working for you"