Although #10 should make users much more aware of SQL injections, here's another idea to help users prevent bad practice.
The most likely route for unsafe data to enter a database command, is via the query arg of e.g. select or delete. We could parse this argument and check that it only consists of simple names, logical operators ("AND" and "OR") and question marks, and perhaps some other syntax that I'm overlooking now.
We could then show a warning or even raise an exception (when a flag is certain set?) when things look unsafe.
almarklein
commented
1 year ago
Although #10 should make users much more aware of SQL injections, here's another idea to help users prevent bad practice.
The most likely route for unsafe data to enter a database command, is via the query arg of e.g.
selectordelete. We could parse this argument and check that it only consists of simple names, logical operators ("AND" and "OR") and question marks, and perhaps some other syntax that I'm overlooking now.We could then show a warning or even raise an exception (when a flag is certain set?) when things look unsafe.
This is just an idea for now.