On 2/17/12 8:52 AM, Ed Leafe wrote: > On Feb 17, 2012, at 10:48 AM, M Jarvis wrote: > >> Don't forget laziness or being a cheapskate.... Diligence is expensive... > > Secure programming practices are not expensive. They are just common > sense. > > Protecting data and systems from all possible forms of attack is > certainly expensive. It requires a staff with highly specialized training, > monitoring tools, etc. But we're not talking about anything at that level > here - just basic stuff like SQL injection.
Just to be clear, we are talking about sql injection from user-entered parameters. It is very important to be diligent in sanitizing this input. The best way to do this is by sending the parameters to the backend for evaluation, and not trying to stuff them into the SQL ourselves. However, dynamically putting together the SQL in your program is fine (and powerful, and elegant) IMO, as long as you are sanitizing the *user-input* parameters. This is probably stating the obvious, and I haven't read the entire thread, but just in case... Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
