mailing list archives
Re: SQL Injection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 11:17:29 -0500
On Wed, 2004-06-16 at 03:56, Stephen de Vries wrote:
But I think we agree that the data must be validated at some point, so
instead of validating it in a function just before output, it would be
more elegant to define another function that accepts the data and
validates it as input.
I understand what you are saying. But calling it input and output depend
on the point of view of the observer. I was (in my mind) segmenting it
into trust boundaries. Your trust your code, you don't trust the user.
User inputs data to your code, and your code output data to the user.
Perhaps we should just call it data validation, without explicitly
labeling it input and output. That way data validation can be applied
between trust boundaries, or application modules/functions.
(That way Jeff can keep it a Top 10 list ;)
What are your thoughts?
Description: This is a digitally signed message part
Re: SQL Injection Jeff Williams (Jun 14)
Re: SQL Injection Stephen de Vries (Jun 17)