> > String p = request.getParameter("id","id-filter");
> >
> > So filtering would be very easy and as close as possible to the request
> > but not really forced - it would be an option we should document and
> > promote very well.
> >
> > What do guys think?
>
> Torsten,
>
> call me boring, but, wouldn't it be better using stored procedures over
> dynamic SQL ?
>
> It offers: SoC, code re-use, security, performance...
Although I tend to agree... That's not alway possible and not always
even wanted.
But point is: everything coming from a request should be considered
evil. (I bet the httpd guys can tell us some nice stories) Not only in
terms of SQL - where we are actually pretty safe using prepared
statement. If we don't restrict or filter it at some point, injection
could happen everywhere... in the sitemap where request parameters get
inserted into a path or passed as a component parameter, different
transformers... etc. so please don't reduce this to SQL.
--
Torsten
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
