On Wed, Apr 28, 2010 at 8:56 AM, Ed Leafe <[email protected]> wrote: > On Apr 28, 2010, at 9:41 AM, Stephen Russell wrote: > >> Dynamic SQL is very unsafe from an injection POV. But you knew that. > > That is so not true. Dumb programmers are unsafe, and anyone who would > accept unescaped outside text and execute it, whether in SQL or not, is dumb. > > There are safe ways to create dynamic SQL, just as there are safe ways > to create dynamic HTML. It is silly and somewhat irresponsible to claim > anything like "Dynamic SQL is unsafe". -------------------------
Having proof of textual clean processes allows you to override the statement. Not having them keeps the statement valid. In some of the apps my company has they do not validate text before presentation to the db. I would just guess that it happens more then you think. I was chastised by my boss for putting in time to make one. He thought I was wasting time but the other lead agreed that we have a lot of missing tools and was happy that I started to fill the void. Long Live the PHB !!! -- Stephen Russell Sr. Production Systems Programmer CIMSgts 901.246-0159 cell _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
