The basic rule is for input validation is to check that input data matches all of the constraints that it must meet to be used correctly in the given circumstance.
In many cases, this can be very difficult: confirming that a set of digits is, in fact, a telephone number may require consideration of the many differing phone number formats used by countries around the world.
Captchas often contain punctuation or what might be punctuation. If you have to back up and resubmit a page, Captcha will sometimes rudely and falsely accuse you of fraud. A Captcha is like placing dog poo on your welcome mat. If you get the second part right, it presumes you know what you were doing for the first.
They don’t tell you if you are supposed to type it. Captchas are getting harder and harder to guess every month. Each time the server typically erases part of my form and I have to rekey it. This way as a side effect of solving the I think Captchas are inexcusably rude way to treat your customers.
Alternative libraries specifically designed with security in mind are often more robust.
The idea is it proves you are a real human, not some malicious automaton. A variant asks you a multiple choice question to identify a picture. You have a similar but not so serious problem keying serial numbers and Windows activation codes.You have to type the deliberately distorted letters and numbers you see such as: Is that first one v911 or v9ll? Any time you want people to key random gibberish, e.g.serial numbers, activation keys and validation codes, the number should not use the characters .Untyped languages such as Perl and Ruby do not have any such requirements – any variable can store any type of value.Of course, these languages do not eliminate validation problems – you may still run into trouble if you use a string to retrieve an item from an integer- indexed array.I had impure thoughts about bodily harm to those who posed inscrutable Captchas to me that I could not solve in a dozen tries.If a site uses these foul things, they should at least monitor the distribution of how many tries it is taking their users and how many give up in disgust.If input is not checked to verify that it has the correct type, format, and length, it can cause problems.Failure to validate input can lead to serious security risks such as integer error, buffer overflow, and SQL injections among others.The system discarded the extra digit, and transferred 0,000 to the (incorrect) account given by the 11 remaining numbers.A simple dialog box informing her that she had typed too many digits may have avoided this expensive error.