What is Defensive Coding?

Defensive coding is a way of ensuring your program or code continues to function under unforeseen or unintended circumstances. Imagine a hacker or malicious user is trying to find vulnerabilities in your program, such as seeing the contents of a database, you want your program to not reveal any secure information or break in such a way that reveals vulnerabilities. Another reason to write defensive code is to prevent a normal user from accidentally making your program halt or perform in an unintended manner.

Let’s look at a simple example and how we can write some defensive code around it to protect it against unintended usages. The below code snippet shows a simple function that takes two parameters and returns the multiplication of those two parameters. This function obviously should take two numbers as the parameters, but what would happen if a string or a boolean is passed into the function instead?

We could add an if statement to the function to ensure that both parameters are above the number 0, this would ensure that they’re number variable types. This change to the code is shown below, if the parameters are not numbers (e.g. booleans or string) or are not positive numbers, they are not above the number 0, the function will return the number 0 otherwise it will return a multiplication of the two parameters. The two numbers passed into the function. This if statement does include defensive code but it stops the function from returning the multiplication of numbers below or equal to the number 0.

We can change the function by checking the variable type of the two passed in parameters. The code below ensures that both parameters are of the variable type ‘number’ and if they are it returns the multiplication of the two numbers otherwise it returns the number 0. This would allow negative numbers or decimal/floating-point numbers to be passed in and the multiplication of those returned.

Defensive coding is a way to prevent your program from ‘acting up’ under strange or unforeseen circumstances, such as the wrong parameter variable types being passed into a function. The example shown on this page is very simple and defensive coding can become more complicated or include checking other things and not just numbers. For example, if you are processing a file you may want to check that the file exists and you have permission to access the file before trying to process it. Try catch blocks can be used to attempt a process and then catch any errors or exceptions, and run a different code path if any errors occur.

Leave a Reply