Are the password, email, firstname, etc sanitized?

[pablocarrillo]

Are all this field sanitized before to go to the database or should be worried about this on the clients. In my opinion it is better to handle this in the API, also would be just one point, instead of multiple clients.

Also the search query is another potential field to look at this. Mainly any field that it is filled by the users directly.

[paulschneider]

Yes of course, the API should definitely handle this. The framework I am using handles data sanitisation on DB inserts and updates automatically.

I would say that clients should handle a form of validation (as I would do if I were building a website) that meets the requirements of the API validation rules as this will improve the user experience. Its better to do as much as you can client side and then throw it at the server for final validation and storage (or whatever action is taking place).

[pablocarrillo]

I agree, we will provide data validation but some things, like the search can be a little difficult on our side. Regarding the validation, probably we should put together some document with all the info that should be validated, like email (what is a valid email), password(min, max, accepted characters, minimum requeriments), first and last name parameters, etc. Thanks.

[paulschneider]

Okay, I've started a document detailing the validation requirements as I am currently aware of them including what the database will limit data entry to. You should get a shared document request in a moment.

[pablocarrillo]

Got the document, good job!