Why Is Escaping Data Considered So Magical?
Stephen Hansen
me+list/python at ixokai.io
Fri Jun 25 10:27:44 EDT 2010
On Fri, Jun 25, 2010 at 5:15 AM, Jorgen Grahn
<grahn+nntp at snipabacken.se<grahn%2Bnntp at snipabacken.se>
> wrote:
> Am I missing something? If not, I can go back to sleep -- and keep
> avoiding SQL and web programming like the plague until that community
> has entered the 21st century.
>
You're not missing anything. Its been the accepted industry practice for
years and years (and /years/), the taught industry practice, the advised
industry practice, the constantly repeated practice on every even vaguely
database related forum forever now.
However:
a) Some people are convinced of their own infallibility, and prefer a
clever construct generating a string that has to be parsed due to the
cleverness of said construct.
b) Some people don't listen / understand.
c) Some people don't care.
And so, SQL injection attacks continue to persist. Then again, its not like
anyone in the C-ish world doesn't know about bounds checking on arrays, do
they? But buffer overflows persist. Probably for similar reasons as above
(with slightly different 'and prefer' clause)
--Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20100625/6b9d54f5/attachment-0001.html>
More information about the Python-list
mailing list