> Well, you should still escape any strings you're getting from a web
> page so
> you can ensure you're not subject to a SQL insert attack, even if you're
> expecting integers.
> Peter Darley
Well, your framework should do this for you :
"integer" specified in your database object class description
"%d" appears in in your generated queries (or you put it in your hand
=> if the parameter is not an integer, an exception is thrown, then
catched, then an error page is displayed...
Or, just casting to int should throw an exception...
Forms should be validated, but hidden parameters in links are OK imho to
display an error page if they are incorrect, after all, if the user edits
the get or post parameters, well...
In response to
pgsql-performance by date
|Next:||From: Merlin Moncure||Date: 2004-11-23 17:06:47|
|Subject: Re: [pgsql-hackers-win32] scalability issues on win32|
|Previous:||From: Alexandre Leclerc||Date: 2004-11-23 16:29:45|
|Subject: Re: Data type to use for primary key|