Input validation is a mechanism in place to verify the validity of information as it is entered into an application. When a user enter information into a form on a web application, the user sometimes have few or no restrictions placed on them. When data is accepted without restrictions or validation, mistakes both intentional and unintentional will happen and this may lead to nothing or to a compromise. Some times restrictive validation is in place on all data the developer expect will come directly from the end user. A developer may not consider validation on data end users are not offered to enter or change, such as hidden form fields, header fields or other information that may not even be presented to the end user. An attacker may tamper with this kind of data as it may be reflected in the web site source code and may lead to some sort of injection.

Some of the issues that may arise from not validating information may include

• Database manipulation
• Database corruption
• Buffer overflows
• Inconsistent data

A developer should never trust data from the end user even though it comes from, say, a static drop-down menu or a hidden field. Having the assumption that this can never change, is dangerous and can lead to attacks like SQL Injections (SQLi), Cross-site Scripting (XSS) or worse. Of course the issue is the same with most software that lacks proper input validation. Buffer overflows have been done from environment variables, music playlists and other unexpected sources which only proves the creativity of attackers.