cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Mäsak <>
Subject SQL Injections: Wrapup
Date Wed, 06 Nov 2002 00:00:24 GMT
These are a few things in the "SQL Injection" thread that ring true to me
(I here take the liberty of rephrasing people's opinions in my own words,
but try to give due credit to the first one to bring up each topic):

1. Functionality for making a pretty secure SQL interface in Cocoon
already exists today. Using PreparedStatements is a good example of this.
(Christian Haul)

2. Implementing enforced security to Cocoon might be possible, but perhaps
not necessarily a Good Thing, adding unnecessary bulk to Cocoon, and it
might not be all-encompassing/failsafe anyway. (Tosten Curdt)

3. SQL Inj:s really is an issue. It's easy to write (say) a login script
that doesn't check against SQL Injections. (Geoff Howard)

4. Some users don't want additional protection. They are happy with the
current level of (lack of) protection, and add their own as needed. (Peter

5. Data type checking shouldn't have to be done by the Database Relational
Management System, but by the application querying the DBMS. (Ilya

6. There doesn't seem to be any explicit mention of SQL Injections in the
Cocoon docs. (Torsten Cordt)

Thanks again for all the relevant feedback.

// Carl Mäsak

To unsubscribe, e-mail:
For additional commands, email:

View raw message