[OWASP-ESAPI] ESAPI-related SQLi/XSS cheat sheet questions

Mike Boberski mike.boberski at gmail.com
Sat Aug 29 19:18:59 EDT 2009


FYI, section "Naming Conventions" in this:
http://phpsec.org/php-security-guide.pdf is what I'd meant by naming
conventions, the code snippet and questions below should make more sense
after looking at that.

For background, I'm working on promoting the use of ESAPI, and I'm also
managing and doing a little bit of coding along with AVDS the PHP port of
ESAPI. Trying to understand where ESAPI is and where it's going.

Mike


On Fri, Aug 28, 2009 at 11:29 AM, Boberski, Michael [USA] <
boberski_michael at bah.com> wrote:

>  Couple questions,
>
> *Question # 1.* Are the ESAPI code snippets in the SQLi and XSS cheat
> sheet an indication that Encoder methods in the a future Java ESAPI release
> will be static methods? I understand the need to keep the examples simple,
> but would like to clarify; I propose that the code snippets should be
> updated to clarify, at least with an initial section that says, all code
> snippets assume the following setup has been done first.
>
> *Question # 2.* A related follow-up question: what are generally
> considered "best practices" based on your experiences with respect to naming
> conventions when using ESAPI. The Oracle codec is used in several
> different ways in the SQLi cheat sheet for example. It would be helpful to
> see examples and documentation using what would be generally agreed to be
> considered best practices across all ESAPI language implementations. One
> possible PHP example, for example:
>
> $ESAPI = new ESAPI(); // the base class should always be called "ESAPI"
>
> $clean_input = array(); // holds validated input
> $clean_sql = array(); // holds escaped SQL output
>
> $esapi_validator = $ESAPI::getValidator(); // always use qualified security
> control names
> $clean_input['id'] = $esapi_validator->getValidInput( ... );
>
> ...
>
> Thanks in advance,
>
>  Mike B.
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090829/1e046bb4/attachment-0001.html 


More information about the OWASP-ESAPI mailing list