usersupplied

User-supplied data refers to information provided by people interacting with a software system, rather than produced by the system itself. The term is often written as user-supplied or as user input. It includes values entered into forms, parameters supplied via an API, uploaded files, or configuration options chosen by a user. In many systems, user-supplied data drives behavior, content, and access decisions.

User-supplied data appears across many contexts: web forms, command-line interfaces, mobile apps, and configuration dashboards. It

There are several risks associated with user-supplied input. It can be malformed, out of range, or spoofed,

Best practices for managing user-supplied data include:

- Validate and sanitize input at boundaries, applying both type- and context-specific checks.

- Escape or encode data when rendering in different contexts (HTML, SQL, shell).

- Prefer parameterized queries and prepared statements to separate data from code.

- Enforce least privilege and input-length constraints, with sensible defaults and error handling.

- Log provenance and validation results to support auditing and debugging.

Considerations also cover privacy and consent, as user-supplied data may include personal information. Systems should minimize

Examples include user-entered search terms, profile information, settings chosen in a preferences panel, or data uploaded

See also: input validation, data integrity, user input, data sanitization.