On Fri, 25 Jun 2010 12:15:08 +0000, Jorgen Grahn wrote: > I don't do SQL and I don't even understand the terminology properly > ... but the discussion around it bothers me. > > Do those people really do this?
Yes. And then some. Among web developers, the median level of programming knowledge amounts to the first 3 chapters of "Learn PHP in 7 Days". It doesn't help the the guy who wrote PHP itself wasn't much better. > - accept untrusted user data > - try to sanitize the data (escaping certain characters etc) > - turn this data into executable code (SQL) > - executing it > > Like the example in the article > > SELECT * FROM hotels WHERE city = '<untrusted>'; Yep. Search the BugTraq archives for "SQL injection". And most of those are for widely-deployed middleware; the zillions of bespoke site-specific scripts are likely to be worse. Also: http://xkcd.com/327/ > I thought it was well-known that the solution is *not* to try to > sanitize the input Well known by anyone with a reasonable understanding of the principles of programming, but somewhat less well known by the other 98% of web developers. > Am I missing something? There's a world of difference between a skilled chef and the people flipping burgers for a minimum wage. And between a chartered civil engineer and the people laying the asphalt. And between what you probably consider a programmer and the people doing most web development. > If not, I can go back to sleep -- and keep > avoiding SQL and web programming like the plague until that community > has entered the 21st century. Don't hold your breath. Of course, there's no fundamental reason why you can't apply sound practices to web development. Well, other than the fact that you're competing against an infinite number of (code-) monkeys for lowest-bidder contracts. To be fair, it isn't actually limited to web developers. I've seen the following in scientific code written in C (or, more likely, ported to C from Fortran) for Unix: sprintf(buff, "rm -f %s", filename); system(buff); Why bother learning the Unix API when you already know system()? -- http://mail.python.org/mailman/listinfo/python-list
