cybersecurity · intermediate · ~15 min · safe pentest lab

Validate input length

Adopt allowlist validation as a habit.

Challenge

Implement int validate_user_input(const char *s) returning 0 if s is between 1 and 64 chars and contains only ASCII letters, digits, or one of -_.@+; otherwise -1.

Why this matters

The most common input bug isn't malicious content — it's malformed length. A function that asserts input length is in a known range catches 90% of bugs before they reach business logic.

Starter code

#include <stdio.h>
#include <ctype.h>

int validate_user_input(const char *s) {
    /* TODO */
    return -1;
}

Common mistakes

Off-by-one on the upper bound. Not checking for NULL. Using strlen on non-NUL-terminated input.

Edge cases to handle

Empty input. Input exactly at the limit. Input one byte over the limit. NULL pointer.

Complexity

O(length).

Background lessons

Input validation
String safety and bounded operations

Up next

Write a safe allowlist validator
Validate a password against a policy

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.