How to Validate User Input Against a Whitelist in Batch Script
When your Batch script asks for user input (via set /p or command-line arguments), you should never assume the user will type exactly what you expect. If your script accepts "YES" or "NO," and the user types "MAYBE," your script might fall into an unintended block of code or cause a system error. "Whitelist Validation" is a security and stability technique where you compare the input against a strictly defined list of allowed values. If the input isn't on the list, it's rejected immediately.
This guide will explain how to build a robust validation loop using a whitelist of safe values.
Method 1: The Multi-IF Validation (Small Lists)
If you only have two or three allowed choices, a sequence of IF statements is the most readable approach.
@echo off
setlocal enabledelayedexpansion
:AskInput
set "userChoice="
set /p "userChoice=Choose an environment (PROD, DEV, STAGE): "
if not defined userChoice (
echo [ERROR] No input provided.
goto :AskInput
)
:: Validate against the whitelist
set "isValid=false"
if /i "!userChoice!"=="PROD" set "isValid=true"
if /i "!userChoice!"=="DEV" set "isValid=true"
if /i "!userChoice!"=="STAGE" set "isValid=true"
if "!isValid!"=="false" (
echo [ERROR] "!userChoice!" is not a valid option.
goto :AskInput
)
echo [OK] Selected environment: !userChoice!
:: (Proceed with logic)
Method 2: The Loop Filter (Large Lists)
If you have a dozen allowed values (like a list of approved server names), using 12 IF statements is inefficient. Instead, use a FOR loop to check the whitelist string.
@echo off
setlocal enabledelayedexpansion
set "Whitelist=SERVER1 SERVER2 SERVER3 BACKUP1 BACKUP2"
set "node="
set /p "node=Enter Server Name: "
if not defined node (
echo [DENIED] No server name entered.
pause
endlocal
exit /b 1
)
:: Loop through the whitelist
set "found=false"
for %%a in (%Whitelist%) do (
if /i "!node!"=="%%a" set "found=true"
)
if "!found!"=="false" (
echo [DENIED] "!node!" is not in the authorized server list.
pause
endlocal
exit /b 1
)
echo [AUTHORIZED] Connecting to !node!...
endlocal
exit /b 0
Method 3: Using 'FINDSTR' (Advanced)
For very large whitelists stored in a separate file, the findstr command is the fastest and most professional way to validate.
@echo off
setlocal enabledelayedexpansion
set "UserList=approved_users.txt"
set "currentUser="
set /p "currentUser=Enter username: "
if not defined currentUser (
echo [SECURITY] No username entered.
endlocal
exit /b 1
)
:: Search the file for a Literal (/l), Exact (/x), Case-Insensitive (/i) match
echo(!currentUser!| findstr /l /i /x /g:"%UserList%" >nul
if %errorlevel% neq 0 (
echo [SECURITY] User "!currentUser!" is not whitelisted.
endlocal
exit /b 1
)
echo [WELCOME] Access granted to !currentUser!.
endlocal
exit /b 0
How to Avoid Common Errors
Wrong Way: Partial Matches
If your whitelist is SERVER1, and the user types SERVER, a simple findstr without the /x flag might return a "Success" even though the input is wrong.
Correct Way: Always use the /x (Exact match) flag or wrap your IF statements in quotes to ensure you are comparing the whole string.
Problem: Special Characters
If a user input contains & or |, it might break your Batch logic before it even reaches the validation check.
Solution: Use setlocal enabledelayedexpansion and !variable! for all user-provided strings to prevent code injection or script crashes.
Best Practices and Rules
1. Case Insensitivity
Users will inevitably mix up capital and lowercase letters. Always use the /i switch in your IF and findstr commands to ensure PROD and prod are both accepted.
2. Informative Rejections
Don't just say "Invalid input." Tell the user what the acceptable values are. "Error: %input% is not allowed. Please enter one of: (A, B, C)."
3. Default Values
Consider providing a default value if the user just presses Enter.
if "%userChoice%"=="" set "userChoice=DEV"
Conclusions
Validating user input against a whitelist is a fundamental part of writing professional, secure automation. By strictly controlling the values that enter your logic, you eliminate a massive category of bugs and security risks. Whether you use a simple FOR loop or a robust FINDSTR file-based check, this defensive programming approach ensures your Batch scripts behave predictably in every scenario.