-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
> How often do people code comments into prepare statements in perl
> or the equivalent in java, ruby, etc?
>
> Do you put comments in your perl prepare statements?
Does it matter? It shouldn't. They are comments.
> If comments count as a statement, at the server end, then the
> multi-statement disabling also disables another attack vector -
> slightly: you can no longer attack using this as your username:
> "' OR 1=1;--"
Using placeholders and other best practices removes such attacks
completely.
I mostly agree with some other people in this thread that the
'disable multi-line switch' is marginally useful at best, and provides
a false sense of security. But let's not confuse the issue with
examples like the above. Otherwise I'll point out yet again that this
whole things a solution in search of a problem. Poorly written apps
will remain poorly written apps, no matter what server-side bandaids
we try to apply.
- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200805051559
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----
iEYEAREDAAYFAkgfZzcACgkQvJuQZxSWSsjAoACg6UKhb2r94khikeOfT2cUOGhD
vh0AoIY/8dSH4tkmsLxl2Jkpbn7/u3+4
=hGCo
-----END PGP SIGNATURE-----
