On Tue, 23 Mar 2004 12:05:17 -0800, Pablo Gosse wrote:
>> I think you have misunderstod the concepts of making queries based on
>> user input. It is not the users who should create the query, all to
>> should do is provide the input to narrow down the queries.
>
> I have not misunderstood the concepts of making queries based on user
> input.
I was here refering to my definition and not in general terms. It was not
ment to offend anybody:-)
> 1) Hard coding a query into an application is good, if the situation
> permits it;
>
True.
> 2) Letting a user select (or enter) a value(s) to be used in a query is
> good, as long as you validate the hell out of said value(s);
>
Also true.
> 3) Letting a user arbitrarily enter unvalidated value(s) to be used in
> a query is very very stupid and very very bad, and done far too often.
>
Again, true.
> In a broader scope I would here consider to be user input ANY input
> which is not hard coded into the application, and any input which is not
> hard coded should be thoroughly examined before being used.
>
I agree.
--
Hilsen/Regards
Michael Rasmussen
--------------------------------------------------------------
Kiss me, Kate, we will be married o' Sunday.
-- William Shakespeare, "The Taming of the Shrew"
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
