What is input validation and why is it important?

Input validation is the process of ensuring that all user-supplied input meets expected format, type, length, and range requirements before processing it. It is a foundational security control because many attacks (SQL injection, XSS, command injection, buffer overflows, path traversal) rely on malformed or malicious input reaching the application. Validation approaches: Whitelist (allowlist) validation — define what is valid and reject everything else (most secure). Blacklist (denylist) — block known bad input (fragile, easy to bypass). Server-side validation is mandatory — client-side validation (JavaScript) is easily bypassed. Validate: data type, length, range, format (regex), allowed characters. Output encoding (escaping) is separate from validation — it handles the case where special characters are legitimate but must be safely rendered. Defense-in-depth: validate, encode, use parameterized queries, use a WAF.