> -----Messaggio originale-----
> Da: Torsten Curdt [mailto:tcurdt@;dff.st]
> Inviato: martedì 5 novembre 2002 15.25
> A: [EMAIL PROTECTED]
> Oggetto: Re: A case of SQL injection
> String p = request.getParameter("id","id-filter");
>
> So filtering would be very easy and as close as possible to the request
> but not really forced - it would be an option we should document and
> promote very well.
>
> What do guys think?
Torsten,
call me boring, but, wouldn't it be better using stored procedures over
dynamic SQL ?
It offers: SoC, code re-use, security, performance...
Best regards,
Luca Morandini
[EMAIL PROTECTED]
We are protected from the virus by Norton Antivirus Corporate Edition
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
