Re: Automated Form Validation?

From: Chung Leong (chernyshevsky_at_hotmail.com)
Date: 02/26/05 

Date: Sat, 26 Feb 2005 00:07:24 -0500

"Matt Mitchell" <m_a_t_t_remove_the_underscores@metalsponge.net> wrote in
message news:CqvTd.218039$K7.23269@fe2.news.blueyonder.co.uk...
> I would refute this "sane programming scenario" right at the point where
you
> decide that user-inputted data is fine to insert into a database without
> escaping. On which particular planet is this a good idea? If you are
> taking even basic precautions against attacks, then you escape ALL data
> before putting it into the database - even down to things like making sure
> that numeric fields contain numeric data, etc.

That's a bit unfair, isn't it? I would, of course, every argument arguing
against the ideal scenario. Everything would be honky dorry be if everyone
follows best practice et al. What guarantee can you give that best practice
was followed, given that, as you said below, people are proned to err? And
keep in mind that validation has a direct bearing on security. If your
assertion that everything was coded according to best practice turned out to
be untrue, then you have all sort of holes in your application.

> But in the vast majority of cases, the validation IS generic. Most
computer
> software, most people, and most businesses handle the same type of data
> repeatedly; computers are useful because they are good at doing the same
> task over and over and over again, exactly the same each time. People are
> very bad at doing this, and that's why it's better to get something right,
> and then let a computer handle getting it done right the next time.

If that's true, then the validation rules aren't going to change. So you're
back to square one.

Relevant Pages

  • Re: Reports in OLTP system
    ... I wonder what is a usual practice of serving aggregate data in ... By aggregate data I mean for example monthly sales summary. ... Triggers not so good. ... Java object-relational mapping framework that "simplifies database ...
    (comp.databases.oracle.misc)
  • Re: Access 2007 Technical Questions
    ... About the only control you have with a Validation Rule is the Validation ... See http://www.QBuilt.com for all your database needs. ... You and I disagree on only one point - Validation Rules. ... only use ADO or DAO programming language to manipulate the data. ...
    (microsoft.public.access.formscoding)
  • Re: One or many DataSet
    ... > Is it best practice to keep the amount of DataSets small but with many ... dataset is not a database, and it shouldn't be abused as one either. ... > Table2 has 2 columns, CustomerID and OrderID ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Access 2007 Technical Questions
    ... you may want to bypass the validation rules such as user clicking on the ... if any of those validation rules causes the control to be in error, ... only use ADO or DAO programming language to manipulate the data. ... database developers use a powerful programming language to manipulate ...
    (microsoft.public.access.formscoding)
  • Re: Validation Rule for field
    ... I said application and database design. ... In my opinion field level validation ... > remember whether version 1 and 1.1 had table-level Validation Rules. ...
    (microsoft.public.access.formscoding)