Ways of validating data
In many situations, an attacker who does not even have control over the client is nevertheless able to inject malicious data.For example, he might inject bogus data into the network stream.Sometimes, programs will accomplish tasks by using functions such as that invoke a shell (which is often a bad idea by itself; see Recipe 1.7).(We'll look at the shell input problem later in this chapter.) Another popular example is the database query using the SQL language.For example, you will generally want to validate that the person on the other end of the connection has the right credentials to perform the operations that she is requesting.However, when you're doing data validation, most often you'll be worried about input that might do things that no user is supposed to be able to do.That is, routines that read from a socket usually do not understand anything about the state the application is in.Without such knowledge, input routines can do only rudimentary filtering.
Avoid the latter situation if possible, because it is a lot harder to get right.In such a scenario, an attacker who is good at reverse engineering can replace the SQL code in the client-side binary with malicious SQL code (perhaps code that reads private records or deletes important data).