These are a few things in the "SQL Injection" thread that ring true to me (I here take the liberty of rephrasing people's opinions in my own words, but try to give due credit to the first one to bring up each topic):
1. Functionality for making a pretty secure SQL interface in Cocoon already exists today. Using PreparedStatements is a good example of this. (Christian Haul) 2. Implementing enforced security to Cocoon might be possible, but perhaps not necessarily a Good Thing, adding unnecessary bulk to Cocoon, and it might not be all-encompassing/failsafe anyway. (Tosten Curdt) 3. SQL Inj:s really is an issue. It's easy to write (say) a login script that doesn't check against SQL Injections. (Geoff Howard) 4. Some users don't want additional protection. They are happy with the current level of (lack of) protection, and add their own as needed. (Peter Hunsberger) 5. Data type checking shouldn't have to be done by the Database Relational Management System, but by the application querying the DBMS. (Ilya Kriveshko) 6. There doesn't seem to be any explicit mention of SQL Injections in the Cocoon docs. (Torsten Cordt) Thanks again for all the relevant feedback. // Carl Mäsak --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
