[OWASP-ESAPI] ESAPI-related SQLi/XSS cheat sheet questions

Jim Manico jim.manico at owasp.org
Sat Aug 29 00:46:10 EDT 2009

ESAPI encoding functions are not quite statics, but a singleton pattern 
(similar performance characteristics)

ESAPI.encoder().encodeForMikeBoberski(userData); and so on.

We do have a coding naming convention yet - we are still jumping off of 
Jeff's extensive original work and using his style, which is clean to me.

I'd like to move to Hungarian notation, my preference for coding. But 
I've given up that battle long ago. Being a Java Developer who likes 
Hungarian notation is a lonely community of one.

And Mike, we are lucky to have active volunteers, I'm not a fan of a big 
name change for the 2.0 release, which will be ready soon. :) Can we 
revisit the name change game post 2.0?

- Jim

> Couple questions,
> _Question # 1._ Are the ESAPI code snippets in the SQLi and XSS cheat 
> sheet an indication that Encoder methods in the a future Java ESAPI 
> release will be static methods? I understand the need to keep the 
> examples simple, but would like to clarify; I propose that the code 
> snippets should be updated to clarify, at least with an initial 
> section that says, all code snippets assume the following setup has 
> been done first.
> _Question # 2._ A related follow-up question: what are generally 
> considered "best practices" based on your experiences with respect to 
> naming conventions when using ESAPI. The Oracle codec is used in 
> several different ways in the SQLi cheat sheet for example. It would 
> be helpful to see examples and documentation using what would be 
> generally agreed to be considered best practices across all ESAPI 
> language implementations. One possible PHP example, for example:
> $ESAPI = new ESAPI(); // the base class should always be called "ESAPI"
> $clean_input = array(); // holds validated input
> $clean_sql = array(); // holds escaped SQL output
> $esapi_validator = $ESAPI::getValidator(); // always use qualified 
> security control names
> $clean_input['id'] = $esapi_validator->getValidInput( ... );
> ...
> Thanks in advance,
> Mike B.
> ------------------------------------------------------------------------
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090829/ce9e3285/attachment.html 

More information about the OWASP-ESAPI mailing list