From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,c9d5fc258548b22a X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news1.google.com!npeer02.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!nx01.iad01.newshosting.com!newshosting.com!198.186.194.249.MISMATCH!transit3.readnews.com!news-xxxfer.readnews.com!news-out.readnews.com!postnews7.readnews.com!not-for-mail Date: Mon, 07 Feb 2011 11:44:56 -0500 From: Hyman Rosen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: How do I write directly to a memory address? References: <67063a5b-f588-45ea-bf22-ca4ba0196ee6@l11g2000yqb.googlegroups.com> <31c357bd-c8dc-4583-a454-86d9c579e5f4@m13g2000yqb.googlegroups.com> <05a3673e-fb97-449c-94ed-1139eb085c32@x1g2000yqb.googlegroups.com> <4d4c232a$0$28967$882e7ee2@usenet-news.net> <4D4D6506.50909@obry.net> <4d50095f$0$22393$882e7ee2@usenet-news.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Message-ID: <4d502224$0$22393$882e7ee2@usenet-news.net> NNTP-Posting-Host: 7bfcd37b.usenet-news.net X-Trace: DXC=Xfda;ITGE;6Xa==QA3@\^1QFZ3T]GPM]7mX0AG3X_jU?5K=AA9h=Q15VjKk:Lk^BN1cR12TN^Bg7>iLTSFSnaTl=0cUmilhnZP> X-Complaints-To: abuse@usenet-news.net Xref: g2news1.google.com comp.lang.ada:16935 Date: 2011-02-07T11:44:56-05:00 List-Id: On 2/7/2011 11:24 AM, Robert A Duff wrote: > Hyman Rosen writes: > >> ...And is Ada any >> more immune than C to little Bobby Tables? () > > Well, yeah, somewhat. As I mentioned in another thread: > > http://www.adacore.com/2010/03/22/gem-82/ > http://www.adacore.com/2010/04/05/gem-83/ > > The second "gem" contains a reference to that very > same xkcd comic you mention above (which I found > highly amusing!). > > Similar things could be done in C, but it's it's rather > more trouble. I don't think you've made your case. The gem says As long as this interface is used, no errors can result in improper input being interpreted as a command but SQL injection problems occur because at some point, a programmer fails to notice that there's an input that needs to be subject to the check. By the way, I think the gem is taking the wrong approach to validation. There's no reason to reject strings with special characters as invalid input. Building up SQL with user inputs involves correctly quoting the inputs. When they're properly quoted they can have embedded special characters and the SQL will still be correct. Otherwise you subject users to annoying restrictions such as not allowing those characters in their passwords.