Re: Lazy sanitizing of data for SQL queries

["Sverre H. Huseby" <shh () thathost com>]

[Sverre H. Huseby (that's me)]

|   Yes.  What would you do for columns that were not textual?

I'm answering myself, because I responded too quickly.  My second
objection (or confusion) goes like this:

What would you gain?  Instead of having to remember to always call a
function to escape quotes, ensure numeric and so on, you would have to
remember calling a function to do BASE64.  I can't see what you win.

And if that wasn't enough, you would _also_ have to remember to always
call a function to decode BASE64 after reading from the database, so
your scheme actually makes it all even more cumbersome.

Not to mention all the hassle you must go through to manually inspect
or edit the database.  In addition, you must do calculations between
BASE64 lengths and actual lengths when you define the tables (if you
want to do length checks in the application).

And finally (at least for this mail), you will run into problems if
you allow other applications (beyond your control) to access the same
database.  Many applications grow far beyond the initial intent, so
this scenario may be more likely than one first thinks (at least if
you program a huge web application for a large customer).


Sverre.

PS: I'm a little bit angry with myself because I didn't immediately
    see the sorting problem mentioned by Phil Brass. :)

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/