On Jun 27, 2011, at 7:55 AM, Grigore Dolghin wrote:
> I watched the video. While I agree that works, it still sucks. "DROP"
> can be LEGIT data. I just don't understand why people avoid a built-in
> fail-proof method readily available and use instead all sorts of
> improvisations. WTF. What if @Filters is longer than 200 chars?
The typical cause for this behavior is a developer thinking that they
understand everything that could possibly happen, and that they're able to
write the code to deal with it. It usually doesn't occur to them that there are
people who do nothing all day except think of ways to penetrate such defenses,
and other people who do nothing all day except to keep that first group out.
IMO, it's extreme hubris to think that someone who does all sorts of
programming stuff all the time could do as well as either of these groups. The
reason that most databases come with proper data sanitizing methods is because
these problems have already been analyzed and solved by more man-hours than any
solo developer could devote to such a task.
Security is hard. Cryptography is hard. As soon as you think that you
can do it better, you're in trouble.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
