DEV Community

Cover image for Code Smell 189 - Not Sanitized Input
Maxi Contieri
Maxi Contieri

Posted on • Originally published at maximilianocontieri.com

6

Code Smell 189 - Not Sanitized Input

Bad actors are there. We need to be very careful with their input.

TL;DR: Sanitize everything that comes from outside your control.

Problems

  • Security

Solutions

  1. Use sanitization and input filtering techniques.

Context

Whenever you get input from an external resource, a security principle requests you to validate and check for potentially harmful inputs.

SQL Injection is a notable example of a threat.

We can also add assertions and invariants to our inputs.

Even better, we can work with Domain Restricted Objects.

Sample Code

Wrong

user_input = "abc123!@#"
# This content might not be very safe if we expect just alphanumeric characters
Enter fullscreen mode Exit fullscreen mode

Right

import re

def sanitize(string):
  # Remove any characters that are not letters or numbers
  sanitized_string = re.sub(r'[^a-zA-Z0-9]', '', string)

  return sanitized_string

user_input = "abc123!@#"
print(sanitize(user_input))  # Output: "abc123"

Enter fullscreen mode Exit fullscreen mode

Detection

[X] Semi-Automatic

We can statically check all the inputs and also we can also use penetration testing tools.

Tags

  • Security

Conclusion

We need to be very cautious with the inputs beyond our control.

Relations

More Info

Disclaimer

Code Smells are just my opinion.

Credits

Photo by Jess Zoerb on Unsplash


Companies should make their own enterprise systems as often as network security companies should manufacture their own aspirin.

Phil Simon


This article is part of the CodeSmell Series.

Dev Diairies image

User Feedback & The Pivot That Saved The Project

🔥 Check out Episode 3 of Dev Diairies, following a successful Hackathon project turned startup.

Watch full video 🎥

Top comments (2)

Collapse
 
moopet profile image
Ben Sinclair • Edited

Sanitisation can get quite complex when you're stripping invalid characters, but you need to allow users to enter things that aren't in English. By which I guess I mean, don't roll your own, use an existing library for it.

Collapse
 
mcsee profile image
Maxi Contieri

yes. the example is a simple case just to illustrate the concept, as usual

Gen AI apps are built with MongoDB Atlas

Gen AI apps are built with MongoDB Atlas

MongoDB Atlas is the developer-friendly database for building, scaling, and running gen AI & LLM apps—no separate vector DB needed. Enjoy native vector search, 115+ regions, and flexible document modeling. Build AI faster, all in one place.

Start Free

👋 Kindness is contagious

Explore this insightful write-up, celebrated by our thriving DEV Community. Developers everywhere are invited to contribute and elevate our shared expertise.

A simple "thank you" can brighten someone’s day—leave your appreciation in the comments!

On DEV, knowledge-sharing fuels our progress and strengthens our community ties. Found this useful? A quick thank you to the author makes all the difference.

Okay