In software, form input validation is essential. It not only maintains data integrity but also enhances security and improves user interaction by providing real-time feedback on input errors. The two main techniques for input validation are allowed and disallowed validation. While both methods have their use cases, this article outlines why allowed validation is often superior to disallowed.
Comparing Disallowed vs Allowed Validation
Disallowed list validation, also known as negative or blacklist validation, works by identifying and blocking specific types of unwanted user input. On the other hand, allowed validation, aka positive or whitelist validation, operates by accepting a predetermined set of input values and discarding the rest.
Example: Throwing a Party
Am I invited to your party? ?
Imagine you’re throwing a party and you have two lists: invited and banned. The banned (disallowed) list contains names of people you definitely do not want at your party – perhaps because they have caused trouble in the past or are known for uninvited gatecrashing. If anyone from this list tries to visit, they are blocked and will not gain entry to the party.
There is an inherent resource problem with this approach, as you have to actively identify each and every person you don’t want at your party, and add them to your banned list. Considering the vast number of potential troublemakers or uninvited guests, it would be a lot of work. Plus, someone new and unwanted could always show up and cause chaos, simply because they weren’t on your banned list.
On the other hand, if you use invitations (allowed), you only need to select the people you do want at your party. It’s a manageable number of people and you’re assured that they are all individuals you trust. This substantially reduces the workload of managing the list. Rather than checking each guest against a potentially long banned list, which would take a lot of time and resources, you just check against the concise invited list. It’s faster and there’s less risk of error.
Code Example
Continuing from our party example, let’s start with an array of people that will likely show up to the door.
Using this array, combined with our banned list, a security guard can determine who to let into the party:
However, there is a problem here, as each person that is not on the banned list will need to be manually vetted, requiring the security guard to leave the door and check with the host if the person in question can come in (otherwise, there could be a long list of troublemakers entering the party). This takes time and resources away from the duties of the security guard AND host.
On the other hand, by having an allowed list, the security guard can quickly and easily determine if a person is allowed to enter, without using any additional resources.
So, while each of these code examples seem similar and useful, there is clear winner when it comes to saving time and resources, because — after all — we came here to party, not work!
Now that’s a party worth throwing! ?
More Reasons Why Allowed Validation is Preferred
1. Exhaustiveness
Disallowed validation requires us to anticipate and list all potentially harmful inputs, a near impossible task considering the infinite possibilities for malicious input. Conversely, allowed validation simply needs a well-defined list of acceptable inputs.
2. Security
Disallowed lists may be susceptible to bypass techniques. A crafty attacker could format malicious input in a way that isn’t anticipated by the disallowed list. Allowed validation tends to be more secure, as it flatly rejects anything not explicitly approved.
3. Maintainability
Keeping an allowed list up-to-date is typically easier than maintaining a disallowed list. As new threats emerge, a disallowed list must constantly be updated and monitored. An allowed list, on the other hand, only needs to be updated when there are changes to what is considered acceptable input.
4. Efficiency
Disallowed validation compares input against potentially large sets of rules or patterns, which can be resource-intensive. In contrast, allowed validation usually involves a quicker check against a smaller set of accepted inputs.
In summary, allowed validation offers a more robust, efficient, and easily maintained approach to form input validation compared to its disallowed counterpart. So next time you’re creating some application lists, remember to use the party invitations technique, and spare your security guard and host the extra work!
??