blacklisting vs whitelisting in form's input filtering and validation

filter validation whitelist blacklist
ultrajohn picture ultrajohn · Aug 24, 2010 · Viewed 21.4k times · Source

which is the preferred approach in sanitizing inputs coming from the user?

thank you!

Answer

Chad picture Chad · Aug 24, 2010

The best approach is to either use stored procedures or parameterized queries. White listing is an additional technique that is ok to prevent any injections before they reach the server, but should not be used as your primary defense. Black listing is usually a bad idea because it's usually impossible to filter out all malicious inputs.

BTW, this answer is considering you mean sanitizing as in preventing sql injection.

Related questions

FILTER_FLAG_STRIP_LOW vs FILTER_FLAG_STRIP_HIGH?

In reference to the filter_var function in PHP 5: I have visited its documentation at: http://php.net/manual/en/filter.filters.sanitize.php, but I still have this question: What are the exact differences? For simpler clarification, please provide …

Read More
Remove rows with all or some NAs (missing values) in data.frame

I'd like to remove the lines in this data frame that: a) contain NAs across all columns. Below is my example data frame. gene hsap mmul mmus rnor cfam 1 ENSG00000208234 0 NA NA NA NA 2 ENSG00000199674 0 2 2 2 2 3 ENSG00000221622 0 NA NA NA NA 4 …

Read More
List comprehension vs. lambda + filter

I happened to find myself having a basic filtering need: I have a list and I have to filter it by an attribute of the items. My code looked like this: my_list = [x for x in my_list if …

Read More