Hacker News new | ask | show | jobs
by randomdata 4018 days ago
While I might agree that the tooling for writing injection-free SQL has improved over the years, certainly back in the day you did have to think about edge cases and be mindful that you weren't allowing anything through. That comes at a cost.

Likewise, especially when it comes to encryption, many schemes have been broken over the years by someone just "adding a function". Actually understanding the vectors one might try to attack what you are doing, again, adds cost.

Finally, as cost is directly proportional to the supply and demand, competent people are generally going to be found in lower supply and in greater demand. Even if you discount the above, competent people are naturally going to cost more.
1 comments
cm2187 4018 days ago
I would agree if we were talking about much more advanced technologies (like multi-threading or high performance code). But using cryptographic functions or parameterised queries are pretty basic skills. You don't expect every electrician to be able to fix a motherboard but you expect any electrician to know "domestic electrical installation 101".
link
randomdata 4018 days ago
> parameterised queries are pretty basic skills.

You might be able to say that now, after much publicization and improved tooling. PHP/mysql comes to mind as not even supporting parameterized queries up to somewhat recent history. Ensuring your queries were safe was entirely up to you. A lot of those old code bases still exist and are being exploited, but what evidence is there that people are still writing brand new projects that way?

That said, even in recent times I've run into edge cases that were not covered by parameterization, still leaving me to ensure the query is sane. It takes care to make sure you get it right. Maybe if you're just shuffling basic user input into a database you can make that claim, but not all tasks are so simple.

> You don't expect every electrician to be able to fix a motherboard but you expect any electrician to know "domestic electrical installation 101".

If you are writing web software you probably should know SQL and all of its shortcomings, but I wouldn't expect all programmers to know SQL, even at a basic level. There are countless programming tasks that will never have anything to do with relational databases.

link