Which secure coding practice addresses input validation and output encoding to prevent injection?

The key idea here is preventing injection by properly controlling what data can enter a system and how data is treated when it leaves a system. The recommended practice focuses on two parts: input validation and output encoding. First, using allowlists means you define exactly what valid input looks like and only accept those forms. This is safer than trying to block known bad inputs, because attackers often find new patterns that bypass simple filters. By specifying explicit, acceptable values or patterns, you drastically reduce the surface area for injection attempts. Second, validating type and length ensures inputs conform to what the program expects. Enforcing the correct data type and limiting size helps prevent a range of attacks, such as injecting excessively long strings or data that could be misinterpreted as code. Rejecting input that doesn’t match these expectations stops malformed data from advancing through the system. Third, encoding outputs is crucial for preventing data from being executed as code in downstream contexts. When data is displayed in a web page or included in a query, encoding converts potentially dangerous characters into a safe representation, so it’s not treated as HTML, JavaScript, SQL, or shell code. This protects against cross-site scripting, SQL injection, and other injection avenues. Taken together, these practices provide a strong defense: strict input control at the boundary plus safe output handling for every context in which data is rendered or used. The other options fall short because they either depend on external tools without guaranteeing correct application of validation and encoding, or they rely on restrictions that are impractical (disabling all input) or insufficient (client-side validation only).