Bertrand Mansion wrote:
On Fri, Dec 11, 2009 at 9:55 PM, Paul Bohme <kepler-proj...@bohme.org> wrote:
Thus, in environments that are
sensitive to security, simple escaping is insufficient.
Any concrete examples (or is this just FUD) ?
It's a matter of principle. Any database worth its salt is going to
provide a way to put a hard separation around data to make sure it stays
that way. The queries are supplied by code (so as pointed out elsewhere
in this thread DDL and such are a non-issue in that case) so as long as
you can be 100% sure that data remains data then it is not a vector for
attack.
Escaping input is an eternal game of whack-a-mole - which is what makes
it difficult in discussions like this. For every point someone brings
up, someone else can describe a way to escape it. The problem is that
you have to think of *everything* that can possibly be done. If you
have that conceptual difference between code and data, this is a solved
problem..
-P
_______________________________________________
Kepler-Project mailing list
Kepler-Project@lists.luaforge.net
http://lists.luaforge.net/cgi-bin/mailman/listinfo/kepler-project
http://www.keplerproject.org/
