### Week 10: Secure Coding Practices

Review Resources:
- Read the OWASP Secure Coding Practices. Focus on the top practices, especially those related to input validation and handling secrets.

- Go through the Python tutorials on using environment variables (e.g., the os or dotenv library) and secure database connection practices (which will lead you to parameterized queries).

Targeted Learning:

- Focus your study on the two main vulnerabilities mentioned: SQL Injection and Cross-Site Scripting (XSS). Understand how they work and why secure coding practices prevent them.

#### Task 1: Environment Variables for Secrets
Goal: Eliminate hard-coded secrets.

Action:

Identify any sensitive data (e.g., database credentials, external API keys) in your Week 9 API endpoint.

Install a library like python-dotenv or plan to use the built-in os.environ to read environment variables.

Replace the hard-coded secrets with calls to read from the environment (e.g., os.environ.get('API_KEY')).

Create a .env file (and add it to your .gitignore) to store the actual key/secret for local testing.

#### Task 2: Parameterized Queries
Goal: Demonstrate protection against SQL injection.

Action:

Write a simple script using an SQLite database (or similar).

Insecure Example: Write a function that builds a query string by concatenating a user-provided variable directly (e.g., f"SELECT * FROM users WHERE id = '{user_input}'").

Secure Example: Write a second function that uses the database library's built-in parameterized query feature (using placeholders like ? or %s) to separate the SQL command from the user data.

Demonstrate: Show how a malicious input like ' OR '1'='1 works in the insecure query but fails harmlessly in the parameterized one.

#### Task 3: Input Validation and Sanitization
Goal: Securely prepare input for use by a function or model.

Action:

Write a short Python function, say process_user_score(score), that expects a number.

Validation: Check that the input:

Is a number/can be converted to an integer.

Falls within an expected range (e.g., 0 to 100).

Sanitization: If dealing with text, use a library or simple regex to remove potentially malicious characters (like <, >, &, or script tags) that could lead to XSS if displayed later. Since the task is for a model, focus on ensuring the data type and range are correct.