|
> From: Walden H. Leverich III > > the problem of SQL Injection exists regardless of the > authentication method used or even the existence of > authentication. Only in poorly written code. > To say that the problem is due to "really bad ASP programming" is > just inflammatory. > There's nothing in this issue that's Microsoft's > fault, don't pin it there. Walden, I went out of my way to be non-inflammatory, but since you think I wasn't trying hard enough, let me expand on my point and remind of what it looks like when I do voice my opinion <grin>. Whether you want to admit it or not, this is really bad ASP programming, particularly the bit about the "--" hack in the SQL statement, which to my knowledge doesn't work on any other platform. And while a version of this technique can probably be used in a really crappy JDBC statement, the truth is that most good Java programmers don't do that sort of stuff anymore, especially since JDBC 2. In fact, I have an entire lab available at Rochester Initiative on using JDBC 2 properly. But here's the part where I really blame Microsoft: The statement "many programmers don't use them" is in reference to prepared statements but could just as well include any good programming techniques. A lot of commercial programming today stinks, and it is mostly a matter of bad training and bad management. Any programmer who uses obviously flawed programming techniques needs more training, any manager who allows them to be used in production software should be fired. If we stopped making excuses for bad programming and returned to an environment where quality was both expected and required then we wouldn't have most of these hacks. For example, all buffer overrun hacks are a direct result of a REALLY BAD PROGRAMMING TECHNIQUE. In fact, it's the same bad programming technique: not checking for the end of the buffer (D'oh!). But since this level of quality is accepted in the software that comes out of Redmond, it is now pervasive in the computing community. Maybe it's not Microsoft's fault in this particular case, but the atmosphere of poor quality programming I lay squarely at the feet of the folks in Redmond. By putting out code using lazy and sloppy techniques, Microsoft invented the email virus. By refusing to fix it except with more hacks upon hacks, they extend the life of the concept. Or more precisely, they continue to provide the host where these things could thrive. If you think your network as a human body, Windows is the HIV of desktop computing. And it's bad enough that it's on your desktop; it's even scarier when it's considered for mission critical business operations. There, NOW you can accuse me of being inflammatory <smile>. Joe
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
