I see far more SVG injections than SQL injections these days, but YYMV. My programming ecosystem has very robusy SQL libraries, from simple prepared statement bindings to complex ORMs and everything in between.
I've seen it quite a lot in my career: even when prepared statements are available and easy to use from a SQL client library, many programmers will simply not use them, in favor of format strings and string concatenation (maybe with an attempt to quote/escape user input).
Just having support for the right way isn't enough. You have to put up roadblocks when people try to go the wrong way.
Why is a format string or string concatenation (or interpolation, what I would use) the “wrong way” when all user input (more precisely: all string literals) are properly escaped?
I see far more SVG injections than SQL injections these days, but YYMV. My programming ecosystem has very robusy SQL libraries, from simple prepared statement bindings to complex ORMs and everything in between.
I've seen it quite a lot in my career: even when prepared statements are available and easy to use from a SQL client library, many programmers will simply not use them, in favor of format strings and string concatenation (maybe with an attempt to quote/escape user input).
Just having support for the right way isn't enough. You have to put up roadblocks when people try to go the wrong way.
Why is a format string or string concatenation (or interpolation, what I would use) the “wrong way” when all user input (more precisely: all string literals) are properly escaped?
1 reply →