Input Validation in c:

Input Validation is the process of verifying that the data provided by a user or a file meets the expected criteria before the program processes it. In C, failing to validate input is a leading cause of security vulnerabilities and unexpected crashes.

1. The Problem with scanf()

The standard scanf() function is often risky. If a user enters a string when an integer is expected, scanf() fails, and the invalid input remains in the input buffer, often causing infinite loops or garbage data processing.

Buffer Overflow: Entering 20 characters into a 10-character array.
Type Mismatch: Entering "abc" into an int variable.
Range Errors: Entering -5 when a positive age is expected.

2. Basic Range Validation

This is the simplest form of validation, ensuring a number falls within a specific logical boundary.

int age;
printf("Enter age (1-100): ");
scanf("%d", &age);

if (age < 1 || age > 100) {
printf("Invalid age! Please enter a value between 1 and 100.\n");
} else {
printf("Age accepted.");
}

3. Checking scanf() Return Value

scanf() returns the number of items successfully scanned. Checking this value is the first line of defense against type mismatches.

int num;
printf("Enter a number: ");

if (scanf("%d", &num) != 1) {
printf("Error: That's not a valid number!\n");
// Clear the buffer here
}

4. Robust Input: Using fgets() and sscanf()

Professional C developers often avoid scanf() for strings. Instead, they use fgets() to read an entire line safely and then parse it.

Function	Why it's better
`fgets()`	Prevents buffer overflow by specifying the maximum size.
`sscanf()`	Parses data from a string rather than direct user input.
`isdigit()`	Checks character-by-character if the input is a numeric digit.

5. Clearing the Input Buffer

When validation fails, you must clear the "trash" left in the buffer, or the next input request will automatically read that same trash.

// Common way to clear the buffer in C
int c;
while ((c = getchar()) != '\n' && c != EOF);

6. Common Validation Checklist

Presence Check: Did the user actually enter anything?
Length Check: Is the string too long for the destination array?
Format Check: Does the email or date follow the correct pattern?
Sanitization: Removing dangerous characters (like \n) from the input.

Pro Tip: Never trust user input. Treat all incoming data as potentially "malicious" or "broken." Using a combination of fgets() and atoi() or strtol() is much safer than a raw scanf()!