Hacker News new | past | comments | ask | show | jobs | submit login

This paper: http://swerl.tudelft.nl/twiki/pub/Main/TechnicalReports/TUD-... describes a general way to deal with injection attacks (not just SQL injections), namely adding the syntax of the "guest" language (such as SQL) to the "host" language (such as Java, e.g.

  SQL q = <| SELECT id FROM users WHERE name = ${userName} AND password = ${password} |>;
The <|...|> construct switches from Java to SQL, while ${...} switches from SQL to Java. The desugaring process that translates the Java+SQL to plain Java ensures that escaping is done at the right places. This approach is based on SDF2, a language for defining grammars that allows context-free grammars to be combined in almost arbitrary ways.



Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: