> As you know, blocking SQL injection with filters on characters is painful and > not always successful. I got thinking about it and thought of an approach
Painful? That's just an excuse for being lazy. (No offense intended.) Not always successful? ... I don't get this, why not? There are a number of tools and libraries that will quite easily and robustly handle quoting / escaping issues for you. E.g., perl's DBI module handles all your quoting issues by way of prepared statements. All it takes is a little forethought and a lot less laziness. Mohit. -- Mohit Muthanna [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
