Hello, in this lesson, we're going to be talking about mitigating SQL injection vulnerabilities using whitelisting. By the end of this lesson, you'll be able to define the term whitelisting, and I'll walk you through a small example. You'll also be able to discuss the pros and cons of whitelisting. So first, what is whitelisting? Whitelisting is basically validating that user control data follows a known specification, or is within a set of data that is acceptable. To give you an example, if you have user controlled data that specifies a table name, and that table name is used in a SQL query in the web app, then you would want to check that user control data against a set of valid table names. Here we have that sort of a check. This example comes from OWASP. Here, it goes through the acceptable set of table names that can be used in a particular SQL query. Another example of whitelisting is, if a user can choose the ascending versus descending order of the returned results of a SQL query. Sometimes, web app developers use the keywords ASE and DESC in the SQL query. These two keywords are used as user controlled input. However, it's wise to convert the ascending or descending values. Those two keywords to the Boolean representation where ASE means true and DESC means false, and use that Boolean value as a user controlled input to the SQL query. So a pro for using whitelisting is that, it can be simple to implement. For example, with the previous example that we saw, it was fairly simple to implement because the whitelist is a small subset of valid input. It was constrained to a set of table names that were valid. However, if the whitelist data is a little bit more complex, you might need to create a regular expression to match valid input. But that's okay because, there are a lot of resources online to help you write regular expressions. To summarize, we went over what whitelisting is and gave a couple of examples on that, and then talked about the pros and cons of using whitelisting to mitigate SQL injection vulnerabilities. In fact, it's actually a good practice to wherever you can perform whitelisting or input validation in general to basically mitigate a lot of the other injection vulnerabilities. It's good coding practice because, it constrains what is acceptable data to the input into the system. As well, it helps future developers of your codebase to know what data, or what form the input data should be in. That's it for now. Thank you for listening.