Reply to post: Re: Got to watch those password lengths

Either my name, my password or my soul is invalid – but which?


Re: Got to watch those password lengths

SQL injection is ridiculous. They take some random HTTP POST value and concatenate it onto a SQL statement and run it? Duh!

Even if they run it through a sanitiser it's a risk and moreover it's ridiculously inefficient.

Every program (web service or otherwise) I've ever written that takes user input (or input from a comms channel) for an SQL (or "a Sequel" if you prefer) query binds the input variables to placeholders in the query string. Usually the statements are pre-prepared since that avoids a layer of parsing for frequently executed statements.

This is trivially easy to do in PHP, Python, Perl, Ruby etc. and not much more complicated in C/C++ with most client libraries.

To paraphrase Holly, "The highest form of life in the universe is Man and the lowest is a man who works as a web developer."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020