From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,c9d5fc258548b22a X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII Path: g2news1.google.com!postnews.google.com!k9g2000yqi.googlegroups.com!not-for-mail From: Ludovic Brenta Newsgroups: comp.lang.ada Subject: Re: How do I write directly to a memory address? Date: Mon, 7 Feb 2011 09:02:19 -0800 (PST) Organization: http://groups.google.com Message-ID: <8fb97ba0-b5ed-43a0-ac37-1a5c01cfcee8@k9g2000yqi.googlegroups.com> References: <67063a5b-f588-45ea-bf22-ca4ba0196ee6@l11g2000yqb.googlegroups.com> <31c357bd-c8dc-4583-a454-86d9c579e5f4@m13g2000yqb.googlegroups.com> <05a3673e-fb97-449c-94ed-1139eb085c32@x1g2000yqb.googlegroups.com> <4d4c232a$0$28967$882e7ee2@usenet-news.net> <4D4D6506.50909@obry.net> <4d50095f$0$22393$882e7ee2@usenet-news.net> <4d502224$0$22393$882e7ee2@usenet-news.net> NNTP-Posting-Host: 153.98.68.197 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: posting.google.com 1297098140 11222 127.0.0.1 (7 Feb 2011 17:02:20 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Mon, 7 Feb 2011 17:02:20 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: k9g2000yqi.googlegroups.com; posting-host=153.98.68.197; posting-account=pcLQNgkAAAD9TrXkhkIgiY6-MDtJjIlC User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009012111 Red Hat/3.0.6-1.el5 Firefox/3.0.6,gzip(gfe) Xref: g2news1.google.com comp.lang.ada:16937 Date: 2011-02-07T09:02:19-08:00 List-Id: Hyman Rosen wrote on comp.lang.ada: > On 2/7/2011 11:24 AM, Robert A Duff wrote: >> Hyman Rosen =A0writes: > >>> ...And is Ada any >>> more immune than C to little Bobby Tables? () > >> Well, yeah, somewhat. =A0As I mentioned in another thread: > >>http://www.adacore.com/2010/03/22/gem-82/ >>http://www.adacore.com/2010/04/05/gem-83/ > >> The second "gem" contains a reference to that very >> same xkcd comic you mention above (which I found >> highly amusing!). >> Similar things could be done in C, but it's it's rather >> more trouble. > > I don't think you've made your case. The gem says > =A0 =A0 =A0As long as this interface is used, no errors can result > =A0 =A0 =A0in improper input being interpreted as a command > but SQL injection problems occur because at some point, > a programmer fails to notice that there's an input that > needs to be subject to the check. > > By the way, I think the gem is taking the wrong approach to > validation. There's no reason to reject strings with special > characters as invalid input. Building up SQL with user inputs > involves correctly quoting the inputs. When they're properly > quoted they can have embedded special characters and the SQL > will still be correct. Otherwise you subject users to annoying > restrictions such as not allowing those characters in their > passwords. I've always wondered what this "SQL sanitation" was all about. Aren't we supposed to pass all user input as bound parameters anyway? That even removes the need for quoting. -- Ludovic Brenta.