Why Is Escaping Data Considered So Magical?

[Lawrence D'Oliveiro]

In message <pan.2010.06.25.06.47.34.297000 at nowhere.com>, Nobody wrote:

> On Fri, 25 Jun 2010 12:25:56 +1200, Lawrence D'Oliveiro wrote:
> 
>> I construct ad-hoc queries all the time. It really isn’t that hard to
>> do safely.
> 
> Wrong.
> 
> Even if you get the quoting absolutely correct (which is a very big "if"),
> you have to remember to perform it every time, without exception.
> 
> More generally, as a program gets more complex, "this will work so long as
> we do X every time without fail" approaches "this won't work".

That’s a content-free claim. Why? Because it applies equally to everything. 
Replace “quoting” with something like “arithmetic”, and you’ll see what I 
mean:

    Even if you get the arithmetic absolutely correct (which is a very big
    "if"), you have to remember to perform it every time, without exception.

    More generally, as a program gets more complex, "this will work so long
    as we do X every time without fail" approaches "this won't work".

>From which we can conclude, according to your logic, that one shouldn’t be 
doing arithmetic.

Next time, try to avoid fallacious arguments.

> And you need to perform it exactly once. As the program gets more complex,
> ensuring that it's done in the correct place, and only there, gets harder.

Nonsense. It only needs to be done at the boundary to the appropriate 
component (MySQL, HTML, JavaScript, whatever). That’s the only place which 
needs to have knowledge of what’s on the other side. Everything else can 
work with arbitrary data without having to worry about such things.

Go back to my example, and you’ll see this: the original updates two dozen 
different fields in a database table, yet it only needs two calls to 
SQLString: one deals with all the fields requiring updating, while the other 
one deals with the key-matching. That’s it. Instead of two dozen different 
places needing checking, you only have two.

That’s what “maintainability” is all about.