https://owasp.org/www-community/attacks/Format_string_attack
https://www.theregister.com/2014/04/09/heartbleed_explained/
https://xkcd.com/1354/
Never trust input (especially not user input)
– Know the inputs your software should work on.
– Make sure it works for these inputs.
_ If other inputs supplied: quit (or otherwise handle them).
– What to do about it?
— Whitelisting: Checks for good inputs and fail otherwise
VS
Blacklisting: Check for bad inputs and process otherwise
==>First approach usually better!!
Use regular expressions to check inputs. See regexlib.com for expressions to check email addresses, phone numbers, dates.
– Check all inputs: composition, length, syntax, range. Example: Checking dates.
– Add assertions to methods (which fail if arguments are incorrect).
– Don’t assume that information is authentic (i.e., data this program wrote last time it was invoked).