Quiz Entry - updated: 2026.07.14
Input validation checks progress from coarse to fine — what does each layer verify, from the source of the data down to its meaning?
Source → size → lexical (allowed characters) → syntax (correct format) → semantics (makes sense in context). Reject as early as possible.
* Validate coarse-to-fine — Source, Size, Lexical, Syntax, Semantics — rejecting at the first failure to save processing. *
You validate from cheap, coarse checks to expensive, fine ones, rejecting bad input at the first failure:
| # | Criterion | What to check | Example |
|---|---|---|---|
| 1 | Legitimate source | Verify origin system/user | CSRF token, API key |
| 2 | Reasonable size | Max length/size limits | Username ≤ 255 chars |
| 3 | Lexically valid | Only allowed characters | No <>"'; in names |
| 4 | Syntactically valid | Correct format/structure | Valid email pattern |
| 5 | Semantically valid | Makes sense in context | Birth date not in future |
Tip: Think "SLSS-S" (Source, Length, Lexical, Syntax, Semantics) — validate from coarse to fine. Reject early to save processing.
Go deeper:
OWASP Input Validation Cheat Sheet — validation strategy, allowlisting, and where to validate.