Comment Factual (Score 5, Funny) 211
Clearly this was not intended to be a factual statement.
Comment Re:Thrane & Thrane SAILOR 500 Fleet Broadband (Score 1) 308
Why would you need fax on a boat?
Comment Re:Parameterized SQL (Score 1) 244
Correct. If you are building dynamic SQL as a string within a stored proc, simple parameters aren't enough.
This kind of code is common when you need to build a dynamic where, select or order by clauses. Normally you would build this where clause in code and then, yes, use parameters. But some code shops insist that all SQL be in sprocs and ban inline sql. When you parametrize it, you only escape the first level. If you use that value in the dynamic sql string, it will again be treated as literal.
Now before you jump in and say "well thats a stupid way to do it! Stupid code is stupid." ask anyone who has worked in a MS SQL shop or supported 3rd party apps that use MS SQL. Even the built in system sprocs use this kind of dynamic processing. The poster's Buchner's comment was only to show that just using parameters isn't always enough.
Here is some code I wrote to prove it and tested in ms sql:
--these two lines simulate what a parametrize query would do
declare @firstname as varchar(30)
set @firstname='test''' --note the escaped single quote
declare @sqlQuery as varchar(2000)
set @sqlQuery='select * from Employee where '
if (@firstname is not null) begin
set @sqlQuery = @sqlQuery + ' Firstname=''' + @firstname + ''''
end
print @sqlQuery
exec(@sqlQuery)
This kind of code is common when you need to build a dynamic where, select or order by clauses. Normally you would build this where clause in code and then, yes, use parameters. But some code shops insist that all SQL be in sprocs and ban inline sql. When you parametrize it, you only escape the first level. If you use that value in the dynamic sql string, it will again be treated as literal.
Now before you jump in and say "well thats a stupid way to do it! Stupid code is stupid." ask anyone who has worked in a MS SQL shop or supported 3rd party apps that use MS SQL. Even the built in system sprocs use this kind of dynamic processing. The poster's Buchner's comment was only to show that just using parameters isn't always enough.
Here is some code I wrote to prove it and tested in ms sql:
--these two lines simulate what a parametrize query would do
declare @firstname as varchar(30)
set @firstname='test''' --note the escaped single quote
declare @sqlQuery as varchar(2000)
set @sqlQuery='select * from Employee where '
if (@firstname is not null) begin
set @sqlQuery = @sqlQuery + ' Firstname=''' + @firstname + ''''
end
print @sqlQuery
exec(@sqlQuery)
Kaminsky Offers Injection Antidote 244
ancientribe passes along this excerpt from DarkReading.com: "Life's too short to defend broken code. That's the reason renowned researcher Dan Kaminsky says he came up with a brand-new way to prevent pervasive SQL injection, cross-site scripting, and other injection-type flaws in software — a framework that lets developers continue to write code the way they always have, but with a tool that helps prevent them from inadvertently leaving these flaws in their apps. The tool, which he released today for input from the development and security community, basically takes the security responsibility off the shoulders of developers. Putting the onus on them hasn't worked well thus far, he says. Kaminsky's new tool is part of his new startup, Recursive Ventures."
Comment Re:Am I the only middle-aged geek who DIDN'T.... (Score 1) 206
Yes honestly I never found HIM to be that funny. The show was always about the songs and skits that he played. He was the host and the voice of the show, so it's natural if people liked his program, they would also like him.
UK Docs Perform First Remote-Control Heart Surgery 142
ByronScott writes "Doctors at a British hospital have just carried out the world's first surgery using a remote-controlled robot. The procedure fixed a patient's irregular heart rhythm, and although the doctor was in the same hospital as the patient — just through the wall in another room — developers of the RC surgery technology believe this is the first step toward long-distance operations. Imagine a doctor in London performing surgery on your heart in New York!"
The Mystery of the Mega-Selling Floppy Disk 558
osullish writes "People have been proclaiming the death of the floppy for years, yet millions are bought around the world. Who is buying them?"
Comment What is the motivation for power companies? (Score 1) 332
Won't increasing efficiency lower energy prices? Am I right in thinking that there really isn't any incentive for power companies to do this?
Slashdot Top Deals
Civilization, as we know it, will end sometime this evening. See SYSNOTE tomorrow for more information.
