[sword-devel] Per Project news: - was Re: CrossWire news

Peter von Kaehne refdoc at gmx.net
Mon Feb 14 09:13:39 MST 2011


Ok. I have messed up here massively. 

Once Jon showed me the matter I added a  string-to-integer parse step and then a further integer to string cast so all relevant holes are now covered. Wrong input will now result in a exception, but not expose holes. I guess one could introduce safe values in the exception handling instead of simply failing, but as this is not meant to be used by outsiders really, I see no good reason for that. Tell me if I am wrong.

I learned a lot here. Many thanks to all and particularly to Jon to point it out so gently. 

In the meantime I have also read up on the suggestions of using a prepared statement. So maybe this is the next step forward. It certainly will be high on my consideration if I ever again touch SQL code and use outside input.

Yours

Peter
-- 
Schon gehört? GMX hat einen genialen Phishing-Filter in die
Toolbar eingebaut! http://www.gmx.net/de/go/toolbar



More information about the sword-devel mailing list