From: Jeff Garland (jeff_at_[hidden])
Date: 2007-03-17 13:35:46
Jorge Lodos wrote:
> Michael Walter wrote:
>> On 3/16/07, Jorge Lodos <lodos_at_[hidden]> wrote:
>>> Security is another reason to go away from sql queries as strings.
>>> Prevent SQL injection attacks.
>> You bind your parameters, you don't have any problems (except
>> when this doesn't work, but then stored procedures don't help either).
> Sure, but it is the programmer responsibility to bind the parameters instead
> of concatenating strings.
> Not using SQL strings avoids errors from programmers. What happens with many
> of the existing SQL injection attacks is that programmers didn't bind
> even when they had the possibility to do so.
Sorry, I don't see how any of this applies -- just because the SQL is a string
doesn't mean it comes from an untrusted source. And, programmers that don't
validate input from untrusted sources deserve what they get....