lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Wed, 2010-03-10 at 20:37 +0100, Florian Weimer wrote:
> * Jorge:
> 
> > That's language level. On your application level, you are responsible
> > for validating data. An example is SQL injection: no mather how secure
> > you database is, if your app don't validate input, breaches will occur.
> 
> SQL injection is not an input validation problem.  

Hmmm... Then we are talking about a different SQL Injection, or
understand "input validation" differently... From wiki:

"The vulnerability is present when user input is either incorrectly
filtered for string literal escape characters embedded in SQL statements
or user input is not strongly typed and thereby unexpectedly executed.
It is an instance of a more general class of vulnerabilities that can
occur whenever one programming or scripting language is embedded inside
another."

> And if your
> database provides an embedded SQL compiler, it's rather
> straightforward to check that no SQL injection issues exist in your
> application.

Avoiding it could be as trivial as escaping the damn input, but it's
still programmer's responsability, not SQL's. And as straightforward as
it is, systems keep on failing on this left and right.

Jorge