05-21-2009, 01:32 PM
Evan Wrote:I don't follow, but then again I use PHP. All you'd have to do is every time your script is called upon, you go through the contents of $_GET and $_POST and sanitize them. 1 piece of code, forever recycled at the very beginning of your script. C#/.net may be different in its handling of this data, but in PHP it's convenient keyed array.stevegula Wrote:Or filter the user input before you use it... which is mainly what a parameterized query is doing for you.sure, multiple ways to skin a cat. IMO its a pain in the ass, you are duplicating code, and you always run the risk of missing something or having bugs in your code. Im a lazy programmer so I love to reuse good tested code that makes my life easier.
instead of rewriting all of his DB queries he could just filter all of his post/get data before using it.
With parameterized queries you also get other benefits such as performance, and you are properly keeping data layer code out of your presentation layer.
IMO its a lot easier and quicker to convert a concatted query into a parameterized query than it is to write messy input validation.
The framework I do my programming in offers a filter that sanitizes XSS requests, GET, and POST data. It also has a Object Relation Model class that, when queried through, sanitizes things and parameterizes the queries.
I just threw out the filter of the POST/GET stuff because if he's just trying to quickly update a lot of code, rewriting every query vs filtering the inputted data is a lot of hassle. Not a who's right/wrong thing, but a what's feasible thing.