Menu
which is the preferred approach in sanitizing inputs coming from the user?
thank you!
294
There are two different types of input validation approaches: whitelist validation (sometimes referred to as inclusion or positive validation) and blacklist validation (sometimes known as exclusion or negative validation).
Whitelisting is the opposite of blacklisting. Instead of blocking specific addresses or devices, whitelisting allows only specific addresses or devices to access data or networks. This is usually done by keeping a list of trusted users or devices and only allowing traffic from those addresses.
Just as the name suggests, whitelisting is the opposite of blacklisting, where a list of trusted entities such as applications and websites are created and exclusively allowed to function in the network. Whitelisting takes more of a trust-centric approach and is considered to be more secure.
Whitelisting is a much stricter approach to access control than blacklisting, as the default is to deny items and only let in those that are proven to be safe. This means that the risks of someone malicious gaining access to your system are much lower when using the whitelisting approach.
WL is a best practice against BL whenever it is practicable.
The reason is simple: you can't be reasonably safe enumerating what it is not permitted, an attacker could always find a way you did not think about. If you can, say what is allowed for sure, it is simpler and much much safer !
120
The best approach is to either use stored procedures or parameterized queries. White listing is an additional technique that is ok to prevent any injections before they reach the server, but should not be used as your primary defense. Black listing is usually a bad idea because it's usually impossible to filter out all malicious inputs.
BTW, this answer is considering you mean sanitizing as in preventing sql injection.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
