[Info-vax] Teaching, was: Re: Any stronger versions of the LMF planned ?
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Fri Aug 13 03:53:46 EDT 2021
Den 2021-08-13 kl. 04:00, skrev Lawrence D’Oliveiro:
> On Friday, August 13, 2021 at 12:47:29 PM UTC+12, Arne Vajhøj wrote:
>>
>> Experience has shown that escaping parameter values frequently goes
>> wrong.
>
> Your experience? Because you don’t understand what a regular grammar is?
>
>> It can get very messy with Unicode and different character sets
>> in play.
>
> That may be have been true in the days before UTF-8. In this century, that particular problem is finally solved.
>
>> Decent database API's provide support for prepared statement /
>> parameters.
>
> I don’t see any that deal with LIKE clauses, though, for example.
I do not see why a LIKE could not take a paramater. But on the other
hand, in real business applications, I do not think that the use of LIKE
SQL clause in particular is that common. It has some performance
implications.
Anyway, the source of many SQL injection issues over the times has
been the use of simple string handling in tools like PHP. When you
see PHP SQL code, it is usually using string handling and not prepare
statements and paramater markers (where SQL injection is not possible).
> How do you cope with that? Or in your world, do you just run away screaming?
Childish comment.
More information about the Info-vax
mailing list