Elements of Enterprise-Grade Web Frameworks – Part 12: Input Validation

ValidationIn the final article of this series on enterprise-grade web apps, we review one of the key benefits of web frameworks: input validation. Though often abnegated to minutiae in the minds of many programmers, input validation forms the primary defense of most software against its two most significant weaknesses: hacking attacks and system errors.

For a little background information, a web application’s input validation consists of its checks and verifications on form fields and other user input controls. For instance, in a simple contact form that asks for a name and email address, input validation will check that a user did not leave the name or email blank, and that the user entered a correct email address. As form input grows more complex to include files, data structures and business logic, the input validation code grows correspondingly more complicated.

The primary reason most programmers don’t enjoy coding input validation is that it doesn’t provide new functionality or exciting visible progress. Input validation is often done after the “meat” of the form is complete. For instance, in a registration form, the exiting part of the application is in storing and processing data in the database. The validation checks are often built at the expense of adding other, more interesting, functionality.

Still, proper validation is absolutely necessary in good software. Handling every possible logical errors helps to prevent incorrect data from being stored in the database, and increases system usability by providing friendly error messages to users when they entered something incorrectly. In addition, most hacking attacks occur when hackers enter incorrect data into a field, causing the system to crash or expose access to database internals. In fact, a plethora of bots scan websites on a monthly basis, searching for exactly these kinds of vulnerabilities that can be exploited by hackers to retrieve email addresses, passwords, and sensitive user information. The main preventative measure against these attacks is data validation.

With both the importance of input validation, and the tendency of many programmers to short-skirt this component, a web framework that simplifies validation will help to both reduce software development time and increase system security. Each framework has its own techniques for implementing input validation.

PHP is the least advanced with regard to automated input validation. Most developers need to write their own functions to simplify the process. Database parameters are available, though rarely used. Some databases require custom drivers in order to provide parameter-based queries. PHP’s primary security features lie in two low-level functions: htmlspecialchars for properly formatting front-end text to reduce cross-site scripting attacks, and mysql_real_escape_string that escapes database strings and prevents SQL injection attacks.

ASP.NET is, as usual, the best and worst of both worlds. Instead of implementing validation through a centralized, automated system, the language pushes server-side code into controls that are interspersed with the interface. In this regard, although the validation is very flexible and can be tweaked to handle many different scenarios, Microsoft’s attempt at providing a unified GUI interface together with extensive functionality often results in difficult-to-maintain code. However, the language does provide several neat features for GUI-based developers, with both pop-up and text-based error notifications, custom validation expressions, and dependencies. The language also features extensive security features and database parametrization throughout most of its database drivers.

Ruby on Rails, on the other hand, offers well-designed and easy-to-use validation. Its simplicity and flexibility lies primarily in the function-like implementation and automatic generation of error messages. In addition, through the router architecture, AJAX queries and commands are often validated as well. Node.js also offers this functionality with an add-on library for Rails-style validation. Another Node.js library called Express-Validator is also starting to make significant headway, bringing an attractive assert-based validation framework. This style of validation combines testing terminology with validation, implying that unvalidated cost is untested. Not only is this an accurate viewpoint, it also simplifies implementation of Test-Driven Design (TDD).

Out of the validation web frameworks, Ruby on Rails is the clear leader with a mature, simple, intuitive validation system that has been copied in a variety of other systems. Node.js has the most attractive development ideas with the Express-Validator library, and hopefully these will become the new standard as the framework matures. ASP.NET, while very flexible, does not have the same level of developer productivity as the other systems, due to the competing dichotomies of GUI development and coding.

Throughout this evaluation of enterprise web development frameworks, each of the major platforms – PHP, ASP.NET, Ruby on Rails, Python’s Django, and Node.js have shown their individual advantages and drawbacks. With each framework excelling in only a few of the key areas, the field is ripe for a new, integrated development framework to take hold of the enterprise market.

Written by Andrew Palczewski

About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.
Google+

RSS Twitter LinkedIn Facebook Email

Leave a Reply

Your email address will not be published. Required fields are marked *