> If anything, this proposal would help user-land solutions (it gives them
> more information while the code is in running).

Well, it might help runtime-based user-land solutions, but not static
analysis-based solutions.

In our bug disclosure program at Vimeo we've had no SQL injection issues
reported, but a number of XSS issues (echoing attacker-controlled data),
and those issues cannot so easily be prevented by this technique as there's
generally little reason to echo literal values.

I can also think of a number of user-constructed SQL queries (e.g. WHERE
... IN) that require non-literal values to work (if this were to come to
pass there might be a set of special `unsafe` methods).

Reply via email to