I agree, I also dislike the term SQL injection. But the problem isn't that there is a query, there problem is that the source code of one program is constructed by string manipulation in the source code of another program. XSS issues (where javascript can be embedded into a string that is supposed to be a value in a HTML document) are the same. Also occurs with shell scripts. The goal has to be to avoid such manual processes. Between lower level languages, it's customary to export a function call in a standard ABI. It should also be the same here: regard queries as function calls in a foreign language. Javascript is basically there, but query languages only have fits and starts (e.g. you often have some syntax like `SELECT * FROM "tbl" where "field" = ?` which can then accept the parameter in a form that is intended for transferring user values) and generally rely on good hygiene and ORMs to protect the end user.
No comments yet.