cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leo Sutic" <>
Subject RE: A case of SQL injection
Date Tue, 05 Nov 2002 11:26:31 GMT

> From: Christian Haul [] 
> Another important aspect is not to compose a query from 
> strings but use PreparedStatements for that.

IMO, input validation is a bad patch and *this* is the correct 

The fundamental security flaw is the mixing of SQL commands with
user input that isn't present when using prepared statements (or
parameterized queries as they are called in ADO-land).

With input validation you have to outsmart the hacker, making sure that
you have covered *all* possible bad inputs and not any good input.
With prepared statements you win by without fighting.

> I don't see what could be done further.

Me neither.


To unsubscribe, e-mail:
For additional commands, email:

View raw message