Welcome to weblogs.com.pk Sign in | Join | Help

Never Trust Inputs; Data Validation in Business Layer

Due to recent increase of security concerns across computer industry, software developers also need to play their role by writing secure and trustworthy code.


One of the foundation rules of the trustworthy code is, Never Trust Inputs. According to the rule, one should validate all the inputs of the code. In modern N-Tier application models, these validations should be in each tier, from user interface layer to data/(web)service layer.


Asp.Net’s Validation controls come handy in UI layer of the web application. We need some thing comparable for WindowsForms as well.


For the other tiers, apparently there is no framework available. But today, I found a very nice article on TheServerSide that provides a framework for the data validation in the business layer. The author has used declarative approach using .NET Attribute and its worth to look.


Dot Net attributes have been extensively used for web methods and code access security declarations within the base class library of Microsoft.NET. Few O/R mapping tools have also used the attributes for the mapping declarations. After reading the mentioned article, you will come to know another usage of the attributes, and frankly speaking, I am impressed of this approach!


For the data layer, it’s recommended to only expose the stored procedures. With this approach, one not only gets the encapsulation but can easily introduce authentication and authorization mechanisms. We need to decorate these exposed stored procedures with the input validation code. Few weeks ago, I posted one of the approaches for string verification in TSQL. If I get some time, I will try to post more about input validation in data layer.

Published Wednesday, May 19, 2004 4:58 PM by khurram
Filed under:


# re: Never Trust Inputs; Data Validation in Business Layer

Thursday, May 20, 2004 12:58 AM by FarazTruehttp
I consider data validation very important even at the function level. If you are more interested in best coding practices you can check out a book called "Code Complete" by Steve McConnell (http://www.stevemcconnell.com).
New Comments to this post are disabled