On Mon, 10 Dec 2007, Mike McGonagle wrote:
I guess what I am getting at is that I don't see how we can prevent people
from using this maliciously.
Using true placeholders or other form of automatic quoting.
If they are creating the SQL and putting the data into it, how can we
stop them from being idiots?
If you have automatic quoting, you don't even have to think about who is
an idiot and who isn't. I don't want to think about who's an idiot and who
isn't. I don't want you to think about it.
Are you saying that we need to do data checking prior to the data being
sent to the server?
If you quote your data properly then you don't need to check whether the
data will garble the query's syntax or not. Therefore, no, I don't think
what you need to do on the data is a "check"... though at the character
level, you have to "check" in order to know which chars have to be
replaced.
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
_______________________________________________
[email protected] mailing list
UNSUBSCRIBE and account-management ->
http://lists.puredata.info/listinfo/pd-list
