Comment by kortilla
6 years ago
Not sure if you’ve worked with databases before, but sql injection sanitization belongs at the SQL layer, not the user input validation layer.
If you’re doing it at user input validation, you’re doing it wrong.
6 years ago
Not sure if you’ve worked with databases before, but sql injection sanitization belongs at the SQL layer, not the user input validation layer.
If you’re doing it at user input validation, you’re doing it wrong.
This!
It's impossible to do SQL-safety validation at any other layer, because otherwise you're making the assertion that someone with the last name "O'Neil" or "Null" (Yes! A real name!) may as well give up and legally change it for the "safety" of programmers that are too lazy to do thing right.