Why Is Escaping Data Considered So Magical?

[Lawrence D'Oliveiro]

In message <pan.2010.06.26.10.49.02.156000 at nowhere.com>, Nobody wrote:

> On Sat, 26 Jun 2010 12:40:41 +1200, Lawrence D'Oliveiro wrote:
> 
>>>> I construct ad-hoc queries all the time. It really isn’t that hard to
>>>> do safely.
>>> 
>>> Wrong.
>>> 
>>> Even if you get the quoting absolutely correct (which is a very big
>>> "if"), you have to remember to perform it every time, without exception.
>>> 
>>> More generally, as a program gets more complex, "this will work so long
>>> as we do X every time without fail" approaches "this won't work".
>> 
>> That’s a content-free claim. Why? Because it applies equally to
>> everything. Replace “quoting” with something like “arithmetic”, and
>> you’ll see what I mean:
> 
> If you omit the arithmetic, the program is likely to fail in very
> obvious ways. Escaping is "almost" an identity function, which makes it
> far more likely that omission or repetition will go unnoticed.

Maybe you need to go back and reread my original posting. The SQLString 
routine doesn’t just escape special characters, it generates a full MySQL 
string literal, complete with quotation marks. That makes it rather more 
likely for a syntax error to occur if I forget to use it, don’t you think?

>>> And you need to perform it exactly once. As the program gets more
>>> complex, ensuring that it's done in the correct place, and only there,
>>> gets harder.
>> 
>> Nonsense. It only needs to be done at the boundary to the appropriate
>> component (MySQL, HTML, JavaScript, whatever).
> 
> That assumes that you have a well-defined "boundary", which isn't
> necessarily the case.

It’s ALWAYS the case.

> In any case, you're still trying to make arguments about whether it's easy
> or hard to get it right, which completely misses the point. Eliminating
> the escaping entirely makes it impossible to get it wrong.

Except nobody has yet shown an alternative which is easier to get right.