From: Jeff Garland (jeff_at_[hidden])
Date: 2007-03-17 13:35:46
Jorge Lodos wrote:
> Michael Walter wrote:
>> On 3/16/07, Jorge Lodos <lodos_at_[hidden]> wrote:
>>> Security is another reason to go away from sql queries as strings.
>>> Prevent SQL injection attacks.
>> You bind your parameters, you don't have any problems (except
>> when this doesn't work, but then stored procedures don't help either).
> Sure, but it is the programmer responsibility to bind the parameters instead
> of concatenating strings.
> Not using SQL strings avoids errors from programmers. What happens with many
> of the existing SQL injection attacks is that programmers didn't bind
> even when they had the possibility to do so.
Sorry, I don't see how any of this applies -- just because the SQL is a string
doesn't mean it comes from an untrusted source. And, programmers that don't
validate input from untrusted sources deserve what they get....
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk