Boost logo

Boost :

From: Jorge Lodos (lodos_at_[hidden])
Date: 2007-03-19 08:31:50


Lyfar Dmitriy wrote:

> > Jorge Lodos wrote:
> > Sorry, I don't see how any of this applies -- just because
> the SQL is
> > a
> string
> > doesn't mean it comes from an untrusted source. And,
> programmers that
> don't
> > validate input from untrusted sources deserve what they get....
>

It wasn't me who wrote that. Moreover, I disagree. Documenting all input
path and following them to make sure that all input data is correctly
validated is not a trivial task even in medium size projects. I'll rather
play safe and add another security step. It is not that input validation is
not needed, but that in case of incorrect validation the users of your
program won't suffer.

Best regards
Jorge


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk