DesignersTalk - View Single Post

Hunch · 09-07-2008, 23:30

I don't disagree with you at all hobo - you spotted my setup for what it was and my comments below aren't aimed at you in any way. I totally concur that it's good practice to validate data, if for no other reason that you want to sanitize it for easy searching or to remove total nonsense data. I also share the same paranoia with anything coming in from the user-end and I wouldn't pretend otherwise. I accept my example was a little contrived to make a point, but nonetheless I think its illustrated what I wanted to show.

What I took issue with was the blanket statement made earlier in this thread (by someone else) along the lines of "PHP must validate, Javascript is good practice but non-essental etc..." (paraphrasing).

Looking at coding in these black and white "there is only one way" terms is to go against everything that programming means. i.e. considering EVERY case on its individual merits. If you go into something with a singular view of how something should be done, you need to reconsider your entire approach to programming.

mx and Blackf0rk - forgive me for being a little mean, but you've just fallen straight into the little trap I set to make my point. You've given a stock answer about SQL Injection without either understanding the problem, or considering it in isolation. Your "DELETE *" examples would do absolutely nothing in the situation I described, regardless of how many semicolons you throw in. I tried to give a little hint with my bizarre 'leetspeak' name containing all manner of bad characters, but perhaps it was overlooked. Clearly neither of you knows what a prepared statement is, or how it nullifies exactly the kind of attack you've suggested but you confidently answered the question because that's what you've learned before.

And that's really all I was trying to say. Looking at a problem with a pre-ordained answer already firmly fixed in your head, is not how good programmers work. Look at the context of every new problem with fresh eyes and figure out the solution based on it's individual peculiarities. If you have a past solution that will work for you, then go with it. But don't just pick your answer because it looks like something you've seen before. It might not be.

09-07-2008, 23:30	#27 (permalink)
Hunch Grumpy old man Join Date: Oct 2007 Location: North Japan Posts: 2,407	I don't disagree with you at all hobo - you spotted my setup for what it was and my comments below aren't aimed at you in any way. I totally concur that it's good practice to validate data, if for no other reason that you want to sanitize it for easy searching or to remove total nonsense data. I also share the same paranoia with anything coming in from the user-end and I wouldn't pretend otherwise. I accept my example was a little contrived to make a point, but nonetheless I think its illustrated what I wanted to show. What I took issue with was the blanket statement made earlier in this thread (by someone else) along the lines of "PHP must validate, Javascript is good practice but non-essental etc..." (paraphrasing). Looking at coding in these black and white "there is only one way" terms is to go against everything that programming means. i.e. considering EVERY case on its individual merits. If you go into something with a singular view of how something should be done, you need to reconsider your entire approach to programming. mx and Blackf0rk - forgive me for being a little mean, but you've just fallen straight into the little trap I set to make my point. You've given a stock answer about SQL Injection without either understanding the problem, or considering it in isolation. Your "DELETE " examples would do absolutely nothing in the situation I described, regardless of how many semicolons you throw in. I tried to give a little hint with my bizarre 'leetspeak' name containing all manner of bad characters, but perhaps it was overlooked. Clearly neither of you knows what a prepared statement* is, or how it nullifies exactly the kind of attack you've suggested but you confidently answered the question because that's what you've learned before. And that's really all I was trying to say. Looking at a problem with a pre-ordained answer already firmly fixed in your head, is not how good programmers work. Look at the context of every new problem with fresh eyes and figure out the solution based on it's individual peculiarities. If you have a past solution that will work for you, then go with it. But don't just pick your answer because it looks like something you've seen before. It might not be.