Re: Sql injection attacks

Geoff Caplan wrote:
> Hi folks
>
> Seems we have two schools of thought:
>
> 1) The validation/escaping approach, supported by Bill and Jim
>
> 2) The "don't mix data with code" approach supported by Peter and
> Greg.
>
> As I learn more about the issues, I am increasingly veering towards
> the second approach.
>


Now I always assumed that the correct approach was always going to be
D) ALL of the above.

Furthermore, if you are really concerned about passing information
through the URL, consider relating data in your database to sessions,
cookies, and file caches to aliase all those fields you pass back and
forth to a session ID or similar.  The example of "...index.html?id=34"
is sufficient for much of this though I doubt 'zine articles merit
greater security than this.