On Sun, 23 Apr 2017 21:31:42 +0100
Simon Slavin <slav...@bigfraud.org> wrote:
> If you don?t understand what you?re doing, hire an experienced
> programmer.
Ah, but you don't know what you don't know. After all, 90% of
programmers rate themselves "above average".
When I first heard of "SQL injection" years ago, I started looking into
it, of course. Every single one I read about could have been prevented
by following two simple, well known rules:
1. Every database access must be through stored procedures.
2. The process accessing the database must have no rights to
the database except through stored procedures.
(SQLite can't provide the same degree of protection because it doesn't
offer process separation. That makes it inappropriate for some
applications. OK.)
For SQL injection to be a problem requires the whole technical
organization to neglect to protect the data. That criminals try to
steal data is no surprise. That so-called professionals abet them
through neglect borders on malfeasance.
--jkl
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
