SQL Injection Is Not Acceptable

  • Comments posted to this topic are about the item SQL Injection Is Not Acceptable

  • Well,

    while I agree with you that it's an abomination, and I would also go as far as to say it's a hallmark of absolute rank, wilful incompetence, and if you have to be told twice about it you should be out on your ear on the spot.  however, the simple fact is that in huge numbers of shops, it is absolutely acceptable as far as they're concerned.  Absolutely ok, why would you complain.

    This is something that we test for on every system that comes in, and we find it in the codebase, pretty much as often as not.  When this is raised with the provider, the initial response is pretty much universally "not a problem", "not going to fix it".  Even internally, we've seen stuff written by DBAs using appropriate techniques to avoid it, *with an explanation in the comments*, get replaced by Devs later down the line with injectable code.

    It's just absolutely in line with pretty much anything to do with security.  Most of those writing code simply don't want to be bothered with it, and probably spend more time deciding on the colour palette , where to put the logos and how big they should be (although I do not exclude SQL Developers from this).  If you're NOT like that, don't get huffy, I'm not talking about the professionals here, if you are though, don't waste time complaining to me - try doing some reading instead.

    I'm a DBA.
    I'm not paid to solve problems. I'm paid to prevent them.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply