With the beta launch of my company's educational platform (hackArcana), I finally have a place to write more about the fundamentals of security and post more educational content. The first piece I've written for our new platform touches on the confusion around the terms "validation," "sanitization," "encoding," "escaping," and "filtering". Most readers will of course be familiar with these, but because they are casually used interchangeably, they might not know the actual difference between them. Here's the first section of the article:
During various discussions, I've noticed there is some confusion about what exactly sanitization, validation, escaping, as well as—to add to the list—encoding, and filtering, are. And how do they differ from each other? Furthermore, which should be applied where? If you're confused about these concepts, or just want to polish up your knowledge, you came to the right place.
Note: This is something that can come up during a job interview. It's also bound to come up in the real world when dealing with application architecture and security—e.g. In selecting a proper solution or to fix for your app, or to advise a programmer on one.
The Big Picture
Regardless of which method we're talking about, the end goal is always to be able to process the received input data in a safe way. Note that "process" might mean a whole range of different things here, from storing the data in the database, displaying it in a terminal or on a website, to e.g. feeding it to a deserialization engine.
What's also really common, is that the input data can be processed in an application in more than one way, where each method of processing might have different requirements with respect to the data it receives. This already signals that there's more to the topic than just selecting one method and calling it a day.
Given the above, the actual situation inside the application looks more like this (this is still a simplified picture):
Add a comment: