On 6/25/2011 7:34 AM, Ken Dibble wrote: > The thing I don't get about this is that this is obvious to me, a > journeyman database developer, as being the only sane way to allow ordinary > users access to data. I do not understand why anybody would do it any other > way, and I don't understand how it is possible for very highly paid, > supposedly top-of-the-mark programmers to have ever created anything so > stupid as to permit this kind of thing to happen.
I think I'm with Ken on this. I can see from the examples that if you just paste user input into a SQL statement there are ways to exploit that, but they're really exploiting sloppy programming. If you ALWAYS take user input as string variables to be used in comparisons, then how could you get SQL injected? Dan Covill _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
