> From: Christian Haul [mailto:haul@;dvs1.informatik.tu-darmstadt.de] > > Another important aspect is not to compose a query from > strings but use PreparedStatements for that.
IMO, input validation is a bad patch and *this* is the correct solution. The fundamental security flaw is the mixing of SQL commands with user input that isn't present when using prepared statements (or parameterized queries as they are called in ADO-land). With input validation you have to outsmart the hacker, making sure that you have covered *all* possible bad inputs and not any good input. With prepared statements you win by without fighting. > I don't see what could be done further. Me neither. /LS --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
