undefined | Better HN

0 pointsGroxx13y ago0 comments

Which is why you sanitize input. Which every sql-communicating system must eventually do somewhere - this is no different.

Besides, that's just an example snippet.

0 comments

1 comments · 1 top-level

Zr4013y ago

If you sanitize input, it implies you're inserting the input into an execution environment. If possible, it's better to treat data as data.

In the Javascript eval case, it's definitely possible; just access the data through a variable instead of inserting it into the eval'ed code.

j / k navigate · click thread line to collapse