Sanitize this ...

Sanitizing input in software has become a huge topic over the last few years. Big enough that Little Bobby Tables is already a classic cartoon.

Why? Because crooks have learned to trick software in to interpreting things differently than intended, so software now has to be written to more carefully ensure its interpretation of things is correct, or risk corrupt data or broken security measures.

How about another approach? How about we stop trying to interpret things that don't need interpreted? Then our code gets more secure, our data is safer, and everything is simpler!

I was thinking about this recently, as I mangled SWTF to make it work better for a specific requirement. Another developer looked over the code and noted that I wasn't sanitizing my input. Of course I wasn't, because it doesn't matter.

The input isn't interpreted in any way, so there's no danger of it becoming a security problem. Even the file name is only stored in a file, so the inclusion of the insidious "../../" can't cause any harm.

Sound crazy? Sound like I'm defying convention? Not really. Look, for example, at pg_query_params() in PHP. This (and similar functions in other languages) are now the recommended method of doing things, because they make SQL injection impossible.

The reason is that it bypasses any attempt to interpret the input. It's simply used. And if you're not looking through it for ' or ; or \, how can those frightening characters do any harm?

So, next time you're worried about sanitizing your input, take a minute to consider whether you should simply stop trying to interpret it instead.

Everyone else is trying to scare you this time of year. I'm trying to show you that it's not as scary as it seems. Happy Halloween.