Re: Not all that different
Splitting them up does make sense because they're very likely to occur in different contexts.
Validation on a website is really important UX for the user who needs to be told as quickly as possible if they've missed something important out or got something wrong. Ideally, this is done client-side before a screen refreshes and this has been impoved significantly by HTML5. It's just such a pity that browsers took so long to properly implement the new controls.
You do then need to do sanity and sanitary checks: is this a bot.
SQL injection itself should really never happen as a result of client code. Parameters should always be passed separately. This is not to say that things don't go wrong, because they do, not least because passsing the parameters separately simply makes it the DB's job to do the checking. But any code that hands data off to another system: DB, network, app, also needs to make sure it follows the API correctly as this is where errors are likely to be most serious, leading to the privelege escalation you mention.
In many situations it's possible to find that the code itself was all correct but exploits were still possible. Hard to think of a better way of learning about this than seeing it happen to your own stuff.
Biting the hand that feeds IT
