[DB-SIG] In praise of pyformat
Mike Meyer
mwm-keyword-dbsig.588a7d at mired.org
Wed Aug 15 16:55:38 CEST 2007
On Wed, 15 Aug 2007 09:44:56 -0400 Art Protin <aprotin at research.att.com> wrote:
> Carsten Haese wrote:
> >On Tue, 2007-08-14 at 10:18 -0400, Mike Meyer wrote:
> >>>How often does an identifier come from an untrusted source?
> >>Um, how about in every web-based app that has a real search facility?
> >>One that lets the user specify which column(s) they want to check, or
> >>that can search multiple tables?
> >Even if you take an identifier directly from an untrusted source, nobody
> >is forcing you to stick it into a query unchecked.
> The better question is why is anybody letting him.
> It is the worst form of programming to use unchecked data.
> So is he arguing that he needs tools to check & validate the values before
> using them as table or column names?
Not quite. I'm asking for a tool that will safely insert identifiers
from an untrusted source into a query, much the same way that
parameter binding lets me insert values from an untrusted source.
thanks,
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
More information about the DB-SIG
mailing list