[thelist] JSF, JSP and SQL Injection
Jay Blanchard
jay.blanchard at niicommunications.com
Wed Jan 19 10:52:06 CST 2005
[snip]
Our development team has told me that we don't need to validate user
input in our application because the values are all passed to prepared
statements. Because of this, SQL injection cannot occur.
I only work with PHP, where I validate everything.
Thoughts?
[/snip]
What the development team said is BAD[tm]. That makses them potentially
EVIL[tm].
Why can't SQL injection occur in a prepared statement? Are they
validating the data at that level? The sounds awfully specious to me.
More information about the thelist
mailing list