Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jsd1982 2 days ago

Sanitization of data is such a strange security practice to me. It feels like any sort of vulnerability sensitive to data sanitization just boils down to a failure to properly encode or escape data into a target language that is susceptible to injection attacks e.g. SQL, HTML, javascript. Is there a real-world scenario where data sanitization is required where proper data encoding/escaping is not the better solution?

ameixaseca 2 days ago | parent | next [-]

Keep in mind this is PHP.

There are tons of languages and frameworks made by developers who know what they are doing that do not treat everything blindly like strings.

For SQL in particular, you should never build queries directly from user input - any modern database supports bind variables or parameters, which completely eliminate any need for sanitizing input.

I agree with you regarding sanitization, and I'd add further that having to sanitize input for security purposes is a big sign of code smell and an overall insecure code by design.

daneel_w 2 days ago | parent | next [-]

>"Keep in mind this is PHP."

Has nothing to do with PHP. SQL injection mishaps is a developer problem, not a language problem. It happens everywhere.

ameixaseca 14 hours ago | parent [-]

I feel like answering this comment could start a possible argument, which I have no interest in doing.

I do, however, want to point that anyone interested in comparing language design choices can conclude by themselves this is likely a strong factor.

You can find references like the classic "PHP: a fractal of bad design"[1] which not only talks about the language itself but SQL injection, error handling and tons of other issues. It summarizes most of the important points.

I can also add a few issues like[2][3], which unfortunately are not isolated incidents: these are a reflection of core design decisions and how the language approaches software design as a whole.

I stand by my point, which I'll define more precisely as:

"A badly-designed language either makes it hard for developers to do good choices, or makes it easy for developers to do bad choices."

PHP is not alone, but it is a prime example of this.

You can disagree with this assessment - and that's OK.

[1] https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

[2] https://stackoverflow.com/questions/36867718/php-rename-fail...

[3] https://stackoverflow.com/questions/11360511/php-rename-how-...

9dev 2 days ago | parent | prev [-]

And tons of such frameworks have been written in PHP; prepared statements with an adapter-agnostic database connection layer are first-class citizens in PHP.

daneel_w 2 days ago | parent | prev | next [-]

>"Is there a real-world scenario where data sanitization is required where proper data encoding/escaping is not the better solution?"

In context of SQL queries which accept variable input, the only correct approach is to parameterize the queries, never to string-encode the variables. So, yes. But perhaps you implied parameterization as well.

jsd1982 2 days ago | parent [-]

Yes, parameterization was implied.

formerly_proven 2 days ago | parent | prev [-]

Improper design principles lead to improper programs.