[OWASP-ESAPI] ESAPI-related SQLi/XSS cheat sheet questions

Boberski, Michael [USA] boberski_michael at bah.com
Fri Aug 28 11:29:35 EDT 2009


Couple questions,

Question # 1. Are the ESAPI code snippets in the SQLi and XSS cheat sheet an indication that Encoder methods in the a future Java ESAPI release will be static methods? I understand the need to keep the examples simple, but would like to clarify; I propose that the code snippets should be updated to clarify, at least with an initial section that says, all code snippets assume the following setup has been done first.

Question # 2. A related follow-up question: what are generally considered "best practices" based on your experiences with respect to naming conventions when using ESAPI. The Oracle codec is used in several different ways in the SQLi cheat sheet for example. It would be helpful to see examples and documentation using what would be generally agreed to be considered best practices across all ESAPI language implementations. One possible PHP example, for example:

$ESAPI = new ESAPI(); // the base class should always be called "ESAPI"

$clean_input = array(); // holds validated input
$clean_sql = array(); // holds escaped SQL output

$esapi_validator = $ESAPI::getValidator(); // always use qualified security control names
$clean_input['id'] = $esapi_validator->getValidInput( ... );

...

Thanks in advance,

Mike B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090828/c0792d67/attachment.html 


More information about the OWASP-ESAPI mailing list