To clarify, I'm talking about things like passing unfiltered user input to a system shell, or a native API, something like that.
True. In the case of passing a user input string to the shell or a database server, you're accepting what's potential a program as input. However, if your language's type system considers that program to be a string, there's no way your compiler can perform relevant security checks.
I've read papers on the topic of adding new data types like relational database tables or XML documents to existing languages (as Xen does for C#), expanding the type system to deal with such data directly instead of reducing it to a string that the compiler can't automatically type check. However, there are always going to be new programs to pass data to, and strings will always be a convenient choice of packaging new unknown data types, so I don't see this problem going away in the future, though particular attack instances like SQL injection may disappear.
-- James Walden, Ph.D. Visiting Assistant Professor of EECS The University of Toledo @ LCCC http://www.eecs.utoledo.edu/~jwalden/ [EMAIL PROTECTED]
