Why Is Escaping Data Considered So Magical?
Nobody
nobody at nowhere.com
Fri Jun 25 19:17:47 EDT 2010
On Fri, 25 Jun 2010 12:15:08 +0000, Jorgen Grahn wrote:
> I don't do SQL and I don't even understand the terminology properly
> ... but the discussion around it bothers me.
>
> Do those people really do this?
Yes. And then some.
Among web developers, the median level of programming knowledge amounts to
the first 3 chapters of "Learn PHP in 7 Days".
It doesn't help the the guy who wrote PHP itself wasn't much better.
> - accept untrusted user data
> - try to sanitize the data (escaping certain characters etc)
> - turn this data into executable code (SQL)
> - executing it
>
> Like the example in the article
>
> SELECT * FROM hotels WHERE city = '<untrusted>';
Yep. Search the BugTraq archives for "SQL injection". And most of those
are for widely-deployed middleware; the zillions of bespoke site-specific
scripts are likely to be worse.
Also: http://xkcd.com/327/
> I thought it was well-known that the solution is *not* to try to
> sanitize the input
Well known by anyone with a reasonable understanding of the principles of
programming, but somewhat less well known by the other 98% of web
developers.
> Am I missing something?
There's a world of difference between a skilled chef and the people
flipping burgers for a minimum wage. And between a chartered civil
engineer and the people laying the asphalt. And between what you
probably consider a programmer and the people doing most web development.
> If not, I can go back to sleep -- and keep
> avoiding SQL and web programming like the plague until that community
> has entered the 21st century.
Don't hold your breath.
Of course, there's no fundamental reason why you can't apply sound
practices to web development. Well, other than the fact that you're
competing against an infinite number of (code-) monkeys for lowest-bidder
contracts.
To be fair, it isn't actually limited to web developers. I've seen the
following in scientific code written in C (or, more likely, ported to C
from Fortran) for Unix:
sprintf(buff, "rm -f %s", filename);
system(buff);
Why bother learning the Unix API when you already know system()?
More information about the Python-list
mailing list