19 Mar
2007
19 Mar
'07
12:31 p.m.
Lyfar Dmitriy wrote:
Jorge Lodos wrote: Sorry, I don't see how any of this applies -- just because the SQL is a string doesn't mean it comes from an untrusted source. And, programmers that don't validate input from untrusted sources deserve what they get....
It wasn't me who wrote that. Moreover, I disagree. Documenting all input path and following them to make sure that all input data is correctly validated is not a trivial task even in medium size projects. I'll rather play safe and add another security step. It is not that input validation is not needed, but that in case of incorrect validation the users of your program won't suffer. Best regards Jorge