On Wed, 15 Aug 2007 09:44:56 -0400 Art Protin <[EMAIL PROTECTED]> wrote:
> Carsten Haese wrote:
> >On Tue, 2007-08-14 at 10:18 -0400, Mike Meyer wrote:
> >>>How often does an identifier come from an untrusted source?
> >>Um, how about in every web-based app that has a real search facility?
> >>One that lets the user specify which column(s) they want to check, or
> >>that can search multiple tables?
> >Even if you take an identifier directly from an untrusted source, nobody
> >is forcing you to stick it into a query unchecked.
> The better question is why is anybody letting him.
> It is the worst form of programming to use unchecked data.
> So is he arguing that he needs tools to check & validate the values before
> using them as table or column names?
Not quite. I'm asking for a tool that will safely insert identifiers
from an untrusted source into a query, much the same way that
parameter binding lets me insert values from an untrusted source.
thanks,
<mike
--
Mike Meyer <[EMAIL PROTECTED]> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
_______________________________________________
DB-SIG maillist - DB-SIG@python.org
http://mail.python.org/mailman/listinfo/db-sig
