# String Trepanation

6 thoughts
last posted Aug. 30, 2013, 12:45 a.m.
1
get stream as: markdown or atom
0

Let's stop calling it "Sanitization".

0

The issue isn't that the strings are dirty, and you're removing the dirt. After all, turning "<" into "\<" hasn't removed the objectionable material, it's just transformed it. Made it dirtier, even.

0

The issue is that you want to let the bad thoughts out of the string.

0
";--\ndrop table users;--"


isn't dirt; it's an active evil, a demon. You want to get it out of your string by making a little hole near the ";" to let it out. You're trepanning the string.

0

The nice thing about this metaphor is that in addition to being a more accurate description of what you're doing, it's also a great metaphor about the kind of people who think that this is a good idea, as well as the state of the practice of technology that they are familiar with.

0

Hopefully the next time you see a PHP developer headed for your inputs with some backslashes and extra quotes, you'll have a clear mental picture of a concerned-looking medieval physician headed for you with a nice, sharp corkscrew.

React accordingly.