Structurally fixing injection bugs (2012)
Summary
This post argues that input sanitization alone is not enough to prevent injection vulnerabilities such as XSS and SQL injection. It advocates structural security: avoiding embedding user input into code, escaping output, and representing data with proper structures (e.g., DOM trees or DSLs) so security is ensured by design. It provides examples in PHP, Ruby, and Scheme, discusses the pitfalls of string interpolation, and offers practical approaches like separating data from commands and using safe libraries.