Sanitization of data is such a strange security practice to me. It feels like any sort of vulnerability sensitive to data sanitization just boils down to a failure to properly encode or escape data into a target language that is susceptible to injection attacks e.g. SQL, HTML, javascript. Is there a real-world scenario where data sanitization is required where proper data encoding/escaping is not the better solution?
ameixaseca · 4h ago
Keep in mind this is PHP.
There are tons of languages and frameworks made by developers who know what they are doing that do not treat everything blindly like strings.
For SQL in particular, you should never build queries directly from user input - any modern database supports bind variables or parameters, which completely eliminate any need for sanitizing input.
I agree with you regarding sanitization, and I'd add further that having to sanitize input for security purposes is a big sign of code smell and an overall insecure code by design.
daneel_w · 3h ago
>"Keep in mind this is PHP."
Has nothing to do with PHP. SQL injection mishaps is a developer problem, not a language problem. It happens everywhere.
9dev · 2h ago
And tons of such frameworks have been written in PHP; prepared statements with an adapter-agnostic database connection layer are first-class citizens in PHP.
daneel_w · 3h ago
>"Is there a real-world scenario where data sanitization is required where proper data encoding/escaping is not the better solution?"
In context of SQL queries which accept variable input, the only correct approach is to parameterize the queries, never to string-encode the variables. So, yes. But perhaps you implied parameterization as well.
jsd1982 · 2h ago
Yes, parameterization was implied.
formerly_proven · 4h ago
Improper design principles lead to improper programs.
There are tons of languages and frameworks made by developers who know what they are doing that do not treat everything blindly like strings.
For SQL in particular, you should never build queries directly from user input - any modern database supports bind variables or parameters, which completely eliminate any need for sanitizing input.
I agree with you regarding sanitization, and I'd add further that having to sanitize input for security purposes is a big sign of code smell and an overall insecure code by design.
Has nothing to do with PHP. SQL injection mishaps is a developer problem, not a language problem. It happens everywhere.
In context of SQL queries which accept variable input, the only correct approach is to parameterize the queries, never to string-encode the variables. So, yes. But perhaps you implied parameterization as well.