As if database were not able to del with apostrophes or other special characters...
Yes you have to sanitize your queries, but you have to do it anyway.
Client applications will of course have to be smarter
It's like the stories of people with the last name "Null" who get errors when trying to enter their name into websites. If that's true then I don't want to think about how poorly built (and insecure) those systems must be.
H2 offers quite a comprehensive solution for dealing with this:
> [H2] provides a way to enforce usage of parameters when passing user input to the database. This is done by disabling embedded literals in SQL statements. To do this, execute the statement:
> SET ALLOW_LITERALS NONE;
> Literals can only be enabled or disabled by an administrator
I would argue if you sanitize your input you are already doing it wrong, you should parameterize queries and send the data entirely separately from code.
charlieo88|1 year ago
arrowsmith|1 year ago
bombcar|1 year ago
That should break untold numbers of systems.
refset|1 year ago
> [H2] provides a way to enforce usage of parameters when passing user input to the database. This is done by disabling embedded literals in SQL statements. To do this, execute the statement:
> SET ALLOW_LITERALS NONE;
> Literals can only be enabled or disabled by an administrator
https://www.h2database.com/html/advanced.html
lyu07282|1 year ago
swasheck|1 year ago
ginko|1 year ago
ahazred8ta|1 year ago
dark-star|1 year ago
I guess there are lots more in other languages...
chrisjj|1 year ago
secondcoming|1 year ago