Input validation is the process of verifying that user-supplied data meets expected criteria before processing it. It's crucial because unvalidated input is the root cause of many security vulnerabilities including injection attacks, buffer overflows, and data corruption.

Key principles:

• Whitelist validation: Define what is acceptable rather than what isn't
• Server-side validation: Never rely solely on client-side validation
• Sanitization: Clean or encode input when validation isn't sufficient
• Length limits: Prevent buffer overflows and DoS attacks

Example of proper validation:

import re

def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    if re.match(pattern, email) and len(email) <= 254:
        return True
    return False

Authentication verifies "who you are" - confirming the identity of a user or system.

• Examples: Username/password, biometrics, certificates

Authorization determines "what you can do" - granting or denying access to resources based on identity.

• Examples: Role-based access control (RBAC), permissions, ACLs

Example flow:

1. User provides credentials (authentication)
2. System verifies credentials
3. System checks user's permissions for requested resource (authorization)
4. Grant or deny access based on permissions

SQL injection occurs when user input is directly concatenated into SQL queries, allowing attackers to manipulate the database.

Example of vulnerable code:

# VULNERABLE
query = f"SELECT * FROM users WHERE username = '{username}'"

Attack example: username = "admin'; DROP TABLE users; --"

Prevention methods:

1. Parameterized queries/Prepared statements (most effective)
2. Stored procedures (when properly implemented)
3. Input validation (whitelist approach)
4. Least privilege principle for database accounts
5. Web Application Firewalls (additional layer)

Secure example:

# SECURE - Using parameterized query
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users.

Three main types:

1. Stored XSS (Persistent): Malicious script stored on server

   • Example: Comment section storing <script>alert('XSS')</script>

2. Reflected XSS (Non-persistent): Script reflected from request

   • Example: Search parameter displayed without encoding

3. DOM-based XSS: Vulnerability in client-side JavaScript

   • Example: document.write(location.hash.substring(1))

Impact: Session hijacking, credential theft, defacement, malware distribution

Prevention: Input validation, output encoding, Content Security Policy (CSP), sanitization