Good variable naming can help keep track of the security condition of data to help avoid simple mistakes.
- It's important to keep track of which data has been sanitized and which has not. We can use variable names to label which data is potentially dangerous and which data is safe to use. Before sanitization we can use names such as dirty, raw or unsafe. After sanitization we can use names such as clean, sanitized or safe. Let me show you an example using PHP. An email address is received from a webform and assigned to the variable raw_email. The prefix raw makes it obvious that it has not been sanitized. After the value passes through a sanitize function it's assigned to a new variable, safe_email. The prefix safe makes it clear the data has now been sanitized. Of course it can also be done as a one step process without using the variable raw_email, but still the variable name indicates that it has been sanitized. Here's another example using Ruby on Rails. An empty hash is assigned to the variable dirty_params. Several request parameters are added to it. Then the sanitize method is called on each one in turn and the result is assigned to a new variable called clean_params. Using variable names as labels is a simple, effective way to keep track of the security condition of your data so they can help you to avoid simple mistakes.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Web Programming Foundationswith Morten Rand-Hendriksen58m 44s Beginner
Web Security: Same-Origin Policieswith Sasha Vodnik1h 54m Advanced
1. Security Overview
2. General Security Principles
3. Filter Input, Control Output
4. The Most Common Attacks
Next steps2m 26s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.