

Idiots think they know more than expert WebDevs. Claim immunity to SQL Injection - justintocci
http://www.3comets.com

======
justintocci
A transcript of the presentation has been posted under video.

------
catmanjan
This is terrible, and linkbait.

------
justintocci
i posted this link and i am one of the idiots.

~~~
pedalpete
When you say you're "one of the idiots", do you mean you work for Envelope?
Are you posting this as a "we learned our lesson and thought we were experts
when we aren't"?

I'm all for beginners finding new and novel ways to solve problems, but if you
are involved with the envelope team, it would be interesting to hear your
experiences of what happened after the video was made.

~~~
michaeltocci
We are very serious, we know we have solved the problem. Things have been
going well. We are hoping to get feedback.

~~~
pedalpete
I missed that in the post, and the title of "Idiots ... claim immunity to SQL
injection attacks" doesn't suggest you've been successful.

Maybe I'm the idiot. You've got a nice query building interface, and I'm not
SQL injection expert, but if you're are transferfing SQL statements directly
from a browser through to your API, then somebody can just write a damaging
SQL statement to the API. If you're sending to your API a paramaterized list
Eg. in a restful example Get/id,name/Where/last_accessed/Greater/24000 then
you've really built an API which is doing the same thing middle where is
doing. Translating an API into SQL at some point.

As a developer, you haven't hit a solution for me. So little time is spent
reading and writing to databases because middleware has abstracted so much of
that and in languages like Rails, you're spending 90% of your time working
with the data outside the db and then just stuffing it into the db. The
frameworks take care of the SQL injection issues due to the middleware, which
is open sourced and being used by millions of sites safely.

