On Wed, 2002-11-06 at 01:00, Carl Mäsak wrote: > These are a few things in the "SQL Injection" thread that ring true to me > (I here take the liberty of rephrasing people's opinions in my own words, > but try to give due credit to the first one to bring up each topic): > > 1. Functionality for making a pretty secure SQL interface in Cocoon > already exists today. Using PreparedStatements is a good example of this. > (Christian Haul)
true - for SQL > 2. Implementing enforced security to Cocoon might be possible, but perhaps > not necessarily a Good Thing, adding unnecessary bulk to Cocoon, and it > might not be all-encompassing/failsafe anyway. (Tosten Curdt) right > 3. SQL Inj:s really is an issue. It's easy to write (say) a login script > that doesn't check against SQL Injections. (Geoff Howard) we should fix this by using a prepared statement in the login action. > 4. Some users don't want additional protection. They are happy with the > current level of (lack of) protection, and add their own as needed. (Peter > Hunsberger) AFAIU some would also like to have a centralized management... > 5. Data type checking shouldn't have to be done by the Database Relational > Management System, but by the application querying the DBMS. (Ilya > Kriveshko) ...but in real world they do a pretty good job;) > 6. There doesn't seem to be any explicit mention of SQL Injections in the > Cocoon docs. (Torsten Cordt) Christian, did you check the docs? > Thanks again for all the relevant feedback. Thanks for the summary :) -- Torsten --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
