[sword-devel] Per Project news: - was Re: CrossWire news
dmsmith at crosswire.org
Mon Feb 14 09:54:08 MST 2011
On 02/14/2011 11:13 AM, Peter von Kaehne wrote:
> Ok. I have messed up here massively.
I wouldn't say that. I write web <-> db kind of code daily and have
learned the hard way not to do certain things and to do others.
> Once Jon showed me the matter I added a string-to-integer parse step and then a further integer to string cast so all relevant holes are now covered.
This is another "best" practice: Sanitize input, validating that it is
only what you want, failing otherwise.
> Wrong input will now result in a exception, but not expose holes. I guess one could introduce safe values in the exception handling instead of simply failing, but as this is not meant to be used by outsiders really, I see no good reason for that. Tell me if I am wrong.
I think you are right. Here, giving the user back something that they
didn't ask for would probably be confusing.
> I learned a lot here. Many thanks to all and particularly to Jon to point it out so gently.
I'm sorry for being straightforward/blunt.
> In the meantime I have also read up on the suggestions of using a prepared statement. So maybe this is the next step forward. It certainly will be high on my consideration if I ever again touch SQL code and use outside input.
More information about the sword-devel