On 10/18/07, Ian Hickson <[EMAIL PROTECTED]> wrote: > What would be cool is if we could detect, through tainting, the bad > codepaths. But I see no way to do that here.
could you simply require that all sql statements be of the form: "X = ?" instead of "X = 1" i.e., any attempt to not use parameterized expressions throws? I know it's possible to screw this up, but would it at least be hard enough?
