On Jun 27, 2011, at 7:55 AM, Grigore Dolghin wrote: > I watched the video. While I agree that works, it still sucks. "DROP" > can be LEGIT data. I just don't understand why people avoid a built-in > fail-proof method readily available and use instead all sorts of > improvisations. WTF. What if @Filters is longer than 200 chars?
The typical cause for this behavior is a developer thinking that they understand everything that could possibly happen, and that they're able to write the code to deal with it. It usually doesn't occur to them that there are people who do nothing all day except think of ways to penetrate such defenses, and other people who do nothing all day except to keep that first group out. IMO, it's extreme hubris to think that someone who does all sorts of programming stuff all the time could do as well as either of these groups. The reason that most databases come with proper data sanitizing methods is because these problems have already been analyzed and solved by more man-hours than any solo developer could devote to such a task. Security is hard. Cryptography is hard. As soon as you think that you can do it better, you're in trouble. -- Ed Leafe _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/44c41d6d-2a35-4da5-8960-1cde161a5...@leafe.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.