[thelist] JSF, JSP and SQL Injection
Dan McCullough
dan.mccullough at gmail.com
Wed Jan 19 11:06:26 CST 2005
Sounds like they have their revenge plan ready.
On Wed, 19 Jan 2005 10:52:06 -0600, Jay Blanchard
<jay.blanchard at niicommunications.com> wrote:
> [snip]
> Our development team has told me that we don't need to validate user
> input in our application because the values are all passed to prepared
> statements. Because of this, SQL injection cannot occur.
>
> I only work with PHP, where I validate everything.
>
> Thoughts?
> [/snip]
>
> What the development team said is BAD[tm]. That makses them potentially
> EVIL[tm].
>
> Why can't SQL injection occur in a prepared statement? Are they
> validating the data at that level? The sounds awfully specious to me.
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>
More information about the thelist
mailing list