> On Jul 21, 2017, at 9:48 AM, John McKown <john.archie.mck...@gmail.com> wrote: > > And, just to interject a politically incorrect statement, any "programmer" > who does not use the safer interface is either __extremely__ ignorant, or > arrogantly stupid
I wouldn’t put it that harshly, but I agree in spirit. If you’re just learning an API and experimenting on your own, it’s understandable that you’ll overlook parts of it, or miss best practices, and make mistakes. If that causes crashes or problems on your computer, well, that’s part of learning. We all do that. But anyone writing software that runs in a web server, or that otherwise interacts with untrusted data, has to pay attention to basic security practices. And a fundamental one is that you don’t run code that some untrusted person sent you. SQL statements are code. So incorporating user input into a string and then telling a SQL database to evaluate that string is incredibly unsafe. Anyone who doesn’t hear alarm bells going off when they see code like “UPDATE students set name=$FORM_DATA …” really shouldn’t be writing this sort of software. (And it gets worse than this. A major attack on Wordpress and other PHP apps about ten years ago, that caused a lot of damage worldwide, was triggered by some bozo using PHP’s “eval()” function inside an XMLRPC library.) It’s like: if you want to fool around with gears and pulleys and learn mechanics in your home workshop, awesome! But if you’re going to build an elevator for my 20-story apartment building, I really want you to have a solid knowledge of structural engineering and safety practices, so you don’t do something ignorant and get people killed. —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
