My take on this is that the scriptwriter's goal was not to stop SQL injection at... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		stevemoy on March 29, 2011 \| parent \| context \| favorite \| on: How not to protect against SQL injection (view sou... My take on this is that the scriptwriter's goal was not to stop SQL injection attacks but rather prevent regular users from inadvertently screwing with the database. Looking at it that way makes it a much more understandable (and all-too-common, unfortunately) oversight.

MattJ100 on March 29, 2011 [–]

Erm... if the server-side was already escaping properly then there would be no way for users to mess with the database. Only if it is not escaping properly is this code vaguely useful.

It's not like you can't store semi-colons in an SQL database :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact