Chico_Loco - 5:01 pm on Dec 6, 2011 (gmt 0)
I'm going to play devil's advocate here... Although poor programming opens the door for SQL injection and other types of hacks, the real problem is that the hackers actually perform this type of attack, which if I understand it correctly is illegal.
Sure, if I accidentally leave the door of my house unlocked and a thief comes in and robs me, then I made a mistake that facilitated me being robbed, but it is the thief that performs the illegal act of badwill.
Sure, I'm pontificating a bit about morals, but that's the real issue at hand here, even if it can't be controlled in the real world.
Why am I playing devil's advocate?... There are plenty of people out there that only know enough code to be dangerous but are smart enough to see a gap in the market that they can fill. If they perform the effort to produce some piece of software that provides a valuable service and is in demand, then they should be able to write that software and put it out there. I myself did this years ago with something called "SpyderTrax" and released it to the public. I am not an expert coder, so perhaps it has holes, and perhaps not.
Not everyone will have the money to hire a real coder to make their code secure. I didn't.
Maybe the languages themselves should have more checks and balances in place to prevent such things from happening, e.g. not allowing SQL code being passed from $_GET and $POST input variables unless specifically enabled in the code itself on a query-by-query basis.