"But that's what we mean by "sanitize"! Then you should stop calling it that."
Ugh, eyeroll. Seriously, let's waste time arguing over what to call security vulnerabilities & ways to address them - instead of using consistent terminology that security-minded developers instantly recognize.
To quote the hilarious Mean Girls - "stop trying to make fetch happen".
Although I understand how you feel, I think OP's point was a bit more meaningful: Calling it "sanitizing" leads some programmers to try to "clean up" the input -- but instead they should contain it.
And when they try to "clean it up", they enter the realm of Falsehoods Programmers Believe About X.
There is no other word that isn't confusing. If you refuse to actually do some cursory research into something before implementing it, you're going to get the stupid delete-is-sanitization stuff the author describes.
2nd page (or more with a lesser screen), under "other solutions," this is the only line about parameterization: "In particular, to prevent SQL injection, parameterized queries (also known as prepared statements and bind variables) are excellent for improving security while also improving code clarity and performance." Everything else is about filtering, blacklisting, whitelisting, escaping.
Discusses filtering as solution to HTML injection. Lastly discusses SQL injection, first recommending mysql_real_escape_string(), then in the second paragraph linking to another article about parameterization.
It's not, to an inexperienced developer (this is the web remember?), a clear-cut best practice from just "cursory research". It's a popular tech joke with obvious but non-optimal solutions.
Why do you think that? The idea isn't to tell new developers to search for content that doesn't exist. The idea is to teach better solutions, a small part of which is using correct descriptive language when naming things.
"I don't know why magically using different, non-standard words would prevent a developer from being inexperienced." It's really hard to give any response to this sort of flawless logic...
Well, I mean, after thinking hard about this for a few hours, I do get your point and I see where you're going. I'm still not sure I agree, but I see your point.
Ugh, eyeroll. Seriously, let's waste time arguing over what to call security vulnerabilities & ways to address them - instead of using consistent terminology that security-minded developers instantly recognize.
To quote the hilarious Mean Girls - "stop trying to make fetch happen".