|
|
|
|
|
|
by atemerev
3324 days ago
|
|
|
Would you be so kind to explain me the attack vector if the user input is never possibly treated as part of the code? What I came up with is this: user name is stored in the database, and some new junior developer in a large team reads it in the backend code, and immediately plugs into another SQL query using string concatenation. BOOM! But on the other hand, the very same junior developer can forget to sanitize the inputs before storing them (or do it incorrectly), so there. |
|
|