Last updated 137 days ago by Enzo Calamiapython
Over the past few years, I worked on two types of API projects. Some implemented proper data validation,
and the others did not. Believe me: it was a huge difference!
I mostly worked on HTTP APIs and backends, and validating the body of a
PATCH is a common step.
Unexpected input handling is quite a challenge when implementing an API. You need to validate that the input is a well-formed JSON/XML/... (easy) and then you have to ensure that the fields are reasoned: no missing mandatory field, correct type, reasonable values, ...
I have seen too many software with no proper input validation. That caused
many bugs that were sometimes very hard to find.
For code written in PHP or JS (using a non-strict fashion), no proper validation led to hard bugs when
some fields were implicitly cast into
undefined and propagated into the rest of the code sneakily.
Sometimes, wrong values managed to reach the database and caused quite a mess.
In more strict languages like Python, you end up with two kinds of runtime error. The easy ones, where something like
x['field'] raises a
KeyError exception. Also, the more difficult ones,
None and causes a
TypeError later in the code.
It is crucial to reject any non-intended values before any processing that can mess up with the program or the integrity of the database. (aside note: if your DB supports it, use constraints as a last line of defense.)