[sword-devel] Per Project news: - was Re: CrossWire news

DM Smith dmsmith at crosswire.org
Mon Feb 14 09:54:08 MST 2011


On 02/14/2011 11:13 AM, Peter von Kaehne wrote:
> Ok. I have messed up here massively.
I wouldn't say that. I write web <-> db kind of code daily and have 
learned the hard way not to do certain things and to do others.

> Once Jon showed me the matter I added a  string-to-integer parse step and then a further integer to string cast so all relevant holes are now covered.
This is another "best" practice: Sanitize input, validating that it is 
only what you want, failing otherwise.

>   Wrong input will now result in a exception, but not expose holes. I guess one could introduce safe values in the exception handling instead of simply failing, but as this is not meant to be used by outsiders really, I see no good reason for that. Tell me if I am wrong.
I think you are right. Here, giving the user back something that they 
didn't ask for would probably be confusing.

> I learned a lot here. Many thanks to all and particularly to Jon to point it out so gently.

I'm sorry for being straightforward/blunt.

> In the meantime I have also read up on the suggestions of using a prepared statement. So maybe this is the next step forward. It certainly will be high on my consideration if I ever again touch SQL code and use outside input.
>
> Yours
>
> Peter




More information about the sword-devel mailing list