Unix Sheikh's resource offers insights, tutorials, and resources for Unix-like operating systems and command-line tools. Readers can learn about shell scripting, system administration, and Linux distributions. With practical examples, code snippets, and troubleshooting tips, Unix Sheikh helps readers become proficient Unix users and sysadmins.

unixsheikh.com

A strong argument against the common advice to 'sanitize user input', explaining the important distinction between sanitization and validation. Sanitization modifies data based on assumed intent, risking data loss and misinterpretation, while validation checks that input meets defined requirements without altering it. The correct approach is to validate input, reject non-conforming data, use prepared statements to prevent SQL injection, and encode/escape data at the point of use — not at the point of storage. Client-side validation is also insufficient for security since it can always be bypassed.

Stop telling people to sanitize user input

I agree. I believe the main issue is that a lot of tutorials are oblivious to the importance of using prepared statements.
Case in point, I recently saw a video posted on YouTube from a company that specialized in security.
They went on and on about why it’s important to sanitize and escape user input due to risk of SQL injection.
It was agonizing to watch people giving advice appearing to be “authoritative” on a subject, only to provide information that is flawed, revealing they completely missed the mark. They never mentioned prepared statements.
Always use prepared statements. Always. Even if there is no user input, you know it might creep in there eventually, so just prepare the statements regardless.
Validate input, use prepared statements, escape output, done.

“After the data has been received you MUST encode and escape the data when it is being used.”
isn’t it more efficient to encode and escape your data before you store it into the database?
I mean that’s essentially what sanitization is …
I don’t see why you should Sanitize after reading the data from the DB. I think the Author and I have different understandings on what **“sanitizing” **is

It’s about which data you are collecting and how you want your UX to be.
If you have textbox and you don’t want special characters in that, while copying text from another place if it copies some special characters, user may be frustrated with the validation error constantly showing

Dear readers! Don’t misinterpret the clickbait title as “Stop telling people to worry about user input completely.” Let me save you 5 minutes.
The whole article is just the author bashing people for not understanding the semantic/technical difference between sanitizing and validating, and for using the terms interchangeably. While I agree with the author’s point of view, given the provocative title, I found the delivery shallow and repetitive.

I think your definition of “sanitizing” is not the same as what most people mean when they talk about sanitizing inputs. Using your definition, you are correct. However, people who don’t use your definition, are also correct when they sanitize their inputs.