C validating data antique dating knife
If an attacker were to provide a negative value, then the user would have their account credited instead of debited.Example 2This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.Depending on the context of the code, CRLF Injection (CWE-93), Argument Injection (CWE-88), or Command Injection (CWE-77) may also be possible.Example 4This function attempts to extract a pair of numbers from a user-supplied only the m variable will be initialized.While this code checks to make sure the user cannot specify large, positive integers and consume too much memory, it does not check for negative values supplied by the user.As a result, an attacker can perform a resource consumption (CWE-400) attack against this program by specifying two, large negative values that will not overflow, resulting in a very large memory allocation (CWE-789) and possibly a system crash.This example attempts to build a list from a user-specified value, and even checks to ensure a non-negative value is supplied.
Example 3The following example shows a PHP application in which the programmer attempts to display a user's birthday and homepage.
Notice that even if the programmer were to defend the $birthday variable by restricting input to integers and dashes, it would still be possible for an attacker to provide a string of the form: If this data were used in a SQL statement, it would treat the remainder of the statement as a comment.
The comment could disable other security-related logic in the statement.
In this case, encoding combined with input validation would be a more useful protection mechanism.
Furthermore, an XSS (CWE-79) attack or SQL injection (CWE-89) are just a few of the potential consequences when input validation is not used.