From: Jeff Garland (jeff_at_[hidden])
Date: 2007-03-17 13:35:46

• Next message: Gennadiy Rozental: "[boost] intrusive container performance example"
• Previous message: Jeff Garland: "Re: [boost] SQL library with full embedded SQL-syntax"
• In reply to: Jorge Lodos: "Re: [boost] SQL library with full embedded SQL-syntax"
• Next in thread: Rene Rivera: "Re: [boost] SQL library with full embedded SQL-syntax"

Jorge Lodos wrote:
> Michael Walter wrote:
>
>> On 3/16/07, Jorge Lodos <lodos_at_[hidden]> wrote:
>>> Security is another reason to go away from sql queries as strings.
>>> Prevent SQL injection attacks.
>> You bind your parameters, you don't have any problems (except
>> when this doesn't work, but then stored procedures don't help either).
>>
>
> Sure, but it is the programmer responsibility to bind the parameters instead
>
> of concatenating strings.
> Not using SQL strings avoids errors from programmers. What happens with many
>
> of the existing SQL injection attacks is that programmers didn't bind
> parameters
> even when they had the possibility to do so.
>

Sorry, I don't see how any of this applies -- just because the SQL is a string
doesn't mean it comes from an untrusted source. And, programmers that don't
validate input from untrusted sources deserve what they get....

Jeff

• Next message: Gennadiy Rozental: "[boost] intrusive container performance example"
• Previous message: Jeff Garland: "Re: [boost] SQL library with full embedded SQL-syntax"
• In reply to: Jorge Lodos: "Re: [boost] SQL library with full embedded SQL-syntax"
• Next in thread: Rene Rivera: "Re: [boost] SQL library with full embedded SQL-syntax"