This conversation happens often enough that I've ceased to be mind boggled by it. A developer will submit code, I review it, and I'll tell them to please sanitize the input. Instead of just using the functions, they'll come back and ask why? Invariably they'll point out that they're using nonces to make sure only authorized actions can happen (no cross site scripting), and they're checking user permissions too, limiting access to only admins. So why am I being pedantic? My default reply:
Admins are humans. Humans make mistakes. Computers do exactly what they're told to do. 

Admins Are Humans

I'm often a broken record, telling people to sanitize, validate, and escape. When people ask me which sanitize function to use in WordPress, I play Socrates and walk them through the logic process. What kind of data are you saving? What will it look like? Okay, now what of these looks the most appropriate based on their descriptions? Sanitizing data is contextual. By this I mean we sanitize for what the saved data should be. If you're saving an email address, make sure you sanitize for email and so on. This has a side benefit of helping validate your data as well. If you check that the email address entry actually is an email, you're both sanitizing and validating. Now you've prevented someone from putting in a domain instead of an email!

Humans Make Mistakes

The details of 'best practices' for coding change often, as we learn about how to make code safer and smarter. That said, the ultimate best practices have nothing to do with the language you're writing in, the app you're writing for, or even the platform!
  • Restrict access to only the people who need it
  • Sanitize and validate the data you're given
  • Provide helpful error messages
  • Test your code with good and bad data
  • Document what the code does and what the errors mean
Those practices transcend every single minutia of programing. If you do those five steps, your code will be robust, sane, and safe. Because you will have taken the steps to ensure that humans can make as few mistakes as possible. You don't save 'Dog' when true/false is the only valid answer.

Computers Do What We Tell Them To Do

The real problem is that AI doesn't exist.
Source: CommitStrip.com
Computers can't think for themselves, and humans have a tendency to stop thinking at weird moments (or just go on auto-pilot) which means nothing can destroy work faster than a human. And since a computer does what it's told, the most dangerous computer tool is the one that doesn't account for how big a mistake a human can make.

Sanitize, Validate, Escape

Especially when it's an admin.

Reader Interactions

Comments

  1. Also, XSS (Cross-Site Scripting). Admins click on links in email too.
    https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

%d bloggers like this: