Why Is Escaping Data Considered So Magical?

Nobody nobody at nowhere.com
Sat Jun 26 06:49:18 EDT 2010


On Sat, 26 Jun 2010 12:40:41 +1200, Lawrence D'Oliveiro wrote:

>>> I construct ad-hoc queries all the time. It really isn’t that hard to
>>> do safely.
>> 
>> Wrong.
>> 
>> Even if you get the quoting absolutely correct (which is a very big "if"),
>> you have to remember to perform it every time, without exception.
>> 
>> More generally, as a program gets more complex, "this will work so long as
>> we do X every time without fail" approaches "this won't work".
> 
> That’s a content-free claim. Why? Because it applies equally to everything. 
> Replace “quoting” with something like “arithmetic”, and you’ll
> see what I mean:

If you omit the arithmetic, the program is likely to fail in very
obvious ways. Escaping is "almost" an identity function, which makes it
far more likely that omission or repetition will go unnoticed.

>> And you need to perform it exactly once. As the program gets more complex,
>> ensuring that it's done in the correct place, and only there, gets harder.
> 
> Nonsense. It only needs to be done at the boundary to the appropriate 
> component (MySQL, HTML, JavaScript, whatever).

That assumes that you have a well-defined "boundary", which isn't
necessarily the case.

In any case, you're still trying to make arguments about whether it's easy
or hard to get it right, which completely misses the point. Eliminating
the escaping entirely makes it impossible to get it wrong.




More information about the Python-list mailing list