On 22/09/2011, at 7:33 AM, Ian King wrote:
When I first learned of SQL injection exploits, my
first thought was, "Is this a joke?" It seems so painfully obvious - which, of
course is how most of these things look in retrospect.
Hindsight is an exact science. -- Ian
You're right, it is obvious, but not just in retrospect. It's obvious in any
situation you need to produce a delimited string, your first question should be, what if
my string contains a delimiter? And then, can I escape the delimiter or just filter it
out? Can I avoid escaping/filtering (blacklist) and only allow a subset of characters in
the first place (whitelist)?
The fact that we've had so many privacy breaches, intrusions, data loss, defacements,
credit card fraud, etc. due to this blindingly simple issue is downright pathetic. These
"programmers" should be held liable for negligence.
Oh, and hi list. I'm new here. :)
Scott.