Sanitization of data is such a strange security practice to me. It feels like any sort of vulnerability sensitive to data sanitization just boils down to a failure to properly encode or escape data into a target language that is susceptible to injection attacks e.g. SQL, HTML, javascript. Is there a real-world scenario where data sanitization is required where proper data encoding/escaping is not the better solution?
formerly_proven•4mo ago
Improper design principles lead to improper programs.
ameixaseca•4mo ago
Keep in mind this is PHP.
There are tons of languages and frameworks made by developers who know what they are doing that do not treat everything blindly like strings.
For SQL in particular, you should never build queries directly from user input - any modern database supports bind variables or parameters, which completely eliminate any need for sanitizing input.
I agree with you regarding sanitization, and I'd add further that having to sanitize input for security purposes is a big sign of code smell and an overall insecure code by design.
daneel_w•4mo ago
>"Keep in mind this is PHP."
Has nothing to do with PHP. SQL injection mishaps is a developer problem, not a language problem. It happens everywhere.
ameixaseca•4mo ago
I feel like answering this comment could start a possible argument, which I have no interest in doing.
I do, however, want to point that anyone interested in comparing language design choices can conclude by themselves this is likely a strong factor.
You can find references like the classic "PHP: a fractal of bad design"[1] which not only talks about the language itself but SQL injection, error handling and tons of other issues. It summarizes most of the important points.
I can also add a few issues like[2][3], which unfortunately are not isolated incidents: these are a reflection of core design decisions and how the language approaches software design as a whole.
I stand by my point, which I'll define more precisely as:
"A badly-designed language either makes it hard for developers to do good choices, or makes it easy for developers to do bad choices."
PHP is not alone, but it is a prime example of this.
You can disagree with this assessment - and that's OK.
I have to disagree, because your assessment is outdated and somewhat shallow. My impression is that it doesn't rest on much real programming experience with PHP either.
To stay with the topic, these arguments are in essence a way of trying to hold PHP as a language accountable for functions it exposed in its since long (about a decade ago) deprecated original mysql extension. These functions actually belong to the underlying C library developed by MySQL, and as has been the custom with tons of functionality brought into PHP from elsewhere over the years, the entire library was relayed. The very same functions - e.g. escape_string(), the culprit "luring" users away from parameterization - are still available in Oracle's mysql C library, and are to some extent also available in, for example, the mysql Python connector through its C extension API.
At the time "a fractal of bad design" was published a handful of its talking points were already no longer actual. It got tired and trope-y years ago, and PHP isn't what it was 15 years ago. Referencing the article today is about as valid as regurgitating "classic" 1950s health advice to Ironman triathletes or something.
ameixaseca•4mo ago
As I said, I have no intention of starting an argument.
I would just like to point out a few issues:
A) I deliberately focused on the language itself in my claims.
The functions I cited earlier were meant to illustrate the side effects of a certain mindset of the core language.
Keep in mind: these functions are not from some random library in the ecosystem, but from the core library of the language, providing core functionality. And that hasn't changed, nor the functions.
B) You've made a number of statements in response to my comments, but I don't see any supporting references.
The only justification you've given is your own opinion that "the article is too old and not relevant anymore".
Which takes us to point C.
C) I skimmed through the article again, along with the general documentation of the language, and I stand by this statement:
"Every major point in that article about the language is as relevant today as it was in 2012."
PHP might work fine for templating some web pages, but so does Jinja. As a general programming language, it falls short in too many ways to list here. You can revisit the original article I mentioned before for a more comprehensive list, in particular the "core language" section.
Well, at least that's my opinion. As I said, you're free to disagree - and that's OK.
--
Side note: The easiest approach during a disagreement in an online discussion is to write a lot of "opinion-based statements" as if they were facts, and leave everything else as an exercise for the reader.
If you want to be taken seriously, please don't do that.
9dev•4mo ago
And tons of such frameworks have been written in PHP; prepared statements with an adapter-agnostic database connection layer are first-class citizens in PHP.
daneel_w•4mo ago
>"Is there a real-world scenario where data sanitization is required where proper data encoding/escaping is not the better solution?"
In context of SQL queries which accept variable input, the only correct approach is to parameterize the queries, never to string-encode the variables. So, yes. But perhaps you implied parameterization as well.
jsd1982•4mo ago
formerly_proven•4mo ago
ameixaseca•4mo ago
There are tons of languages and frameworks made by developers who know what they are doing that do not treat everything blindly like strings.
For SQL in particular, you should never build queries directly from user input - any modern database supports bind variables or parameters, which completely eliminate any need for sanitizing input.
I agree with you regarding sanitization, and I'd add further that having to sanitize input for security purposes is a big sign of code smell and an overall insecure code by design.
daneel_w•4mo ago
Has nothing to do with PHP. SQL injection mishaps is a developer problem, not a language problem. It happens everywhere.
ameixaseca•4mo ago
I do, however, want to point that anyone interested in comparing language design choices can conclude by themselves this is likely a strong factor.
You can find references like the classic "PHP: a fractal of bad design"[1] which not only talks about the language itself but SQL injection, error handling and tons of other issues. It summarizes most of the important points.
I can also add a few issues like[2][3], which unfortunately are not isolated incidents: these are a reflection of core design decisions and how the language approaches software design as a whole.
I stand by my point, which I'll define more precisely as:
"A badly-designed language either makes it hard for developers to do good choices, or makes it easy for developers to do bad choices."
PHP is not alone, but it is a prime example of this.
You can disagree with this assessment - and that's OK.
[1] https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
[2] https://stackoverflow.com/questions/36867718/php-rename-fail...
[3] https://stackoverflow.com/questions/11360511/php-rename-how-...
daneel_w•4mo ago
To stay with the topic, these arguments are in essence a way of trying to hold PHP as a language accountable for functions it exposed in its since long (about a decade ago) deprecated original mysql extension. These functions actually belong to the underlying C library developed by MySQL, and as has been the custom with tons of functionality brought into PHP from elsewhere over the years, the entire library was relayed. The very same functions - e.g. escape_string(), the culprit "luring" users away from parameterization - are still available in Oracle's mysql C library, and are to some extent also available in, for example, the mysql Python connector through its C extension API.
At the time "a fractal of bad design" was published a handful of its talking points were already no longer actual. It got tired and trope-y years ago, and PHP isn't what it was 15 years ago. Referencing the article today is about as valid as regurgitating "classic" 1950s health advice to Ironman triathletes or something.
ameixaseca•4mo ago
I would just like to point out a few issues:
A) I deliberately focused on the language itself in my claims.
The functions I cited earlier were meant to illustrate the side effects of a certain mindset of the core language.
Keep in mind: these functions are not from some random library in the ecosystem, but from the core library of the language, providing core functionality. And that hasn't changed, nor the functions.
B) You've made a number of statements in response to my comments, but I don't see any supporting references.
The only justification you've given is your own opinion that "the article is too old and not relevant anymore".
Which takes us to point C.
C) I skimmed through the article again, along with the general documentation of the language, and I stand by this statement:
"Every major point in that article about the language is as relevant today as it was in 2012."
PHP might work fine for templating some web pages, but so does Jinja. As a general programming language, it falls short in too many ways to list here. You can revisit the original article I mentioned before for a more comprehensive list, in particular the "core language" section.
Well, at least that's my opinion. As I said, you're free to disagree - and that's OK.
--
Side note: The easiest approach during a disagreement in an online discussion is to write a lot of "opinion-based statements" as if they were facts, and leave everything else as an exercise for the reader.
If you want to be taken seriously, please don't do that.
9dev•4mo ago
daneel_w•4mo ago
In context of SQL queries which accept variable input, the only correct approach is to parameterize the queries, never to string-encode the variables. So, yes. But perhaps you implied parameterization as well.
jsd1982•4mo ago