- From: timeless <timeless@gmail.com>
- Date: Thu, 18 Oct 2007 01:51:04 +0300
On 10/18/07, Ian Hickson <ian at hixie.ch> wrote: > What would be cool is if we could detect, through tainting, the bad > codepaths. But I see no way to do that here. could you simply require that all sql statements be of the form: "X = ?" instead of "X = 1" i.e., any attempt to not use parameterized expressions throws? I know it's possible to screw this up, but would it at least be hard enough?
Received on Wednesday, 17 October 2007 15:51:04 UTC