What Is Input Validation and Sanitization?

Validation checks if the input meets a set of criteria (such as a string contains no standalone single quotation marks).

Sanitization modifies the input to ensure that it is valid (such as doubling single quotes).

You would normally combine these two techniques to provide in-depth defense to your application. For example, you might change all single quotation marks in a string to double quotation marks (sanitize) and then check that all the quotation marks were actually changed to double quotation marks (validate).

Validation checks include testing for the length, format, range, and allowable characters. For example, if your application expects positive integer input, you need to validate that any string input consists only of the digits 0 through 9.

Oracle Database provides a PL/SQL package called DBMS_ASSERT, which contains functions that can be used to filter and sanitize input strings. DBMS_ASSERT is discussed in more detail in Lesson 5: Filtering Input with DBMS_ASSERT of the tutorial.

To avoid SQL injection, all input that are to be concatenated in dynamic SQL must be correctly filtered and sanitized.