DigiNews

Tech Watch by Johan Denoyer

← Back to articles

Structurally fixing injection bugs (2012)

Quality: 8/10 Relevance: 9/10

Summary

This post argues that input sanitization alone is not enough to prevent injection vulnerabilities such as XSS and SQL injection. It advocates structural security: avoiding embedding user input into code, escaping output, and representing data with proper structures (e.g., DOM trees or DSLs) so security is ensured by design. It provides examples in PHP, Ruby, and Scheme, discusses the pitfalls of string interpolation, and offers practical approaches like separating data from commands and using safe libraries.

🚀 Service construit par Johan Denoyer