It’s a common problem for the same reason that it’s a common problem for people to have precision errors when doing math with currencies… People write the wrong code because they don’t know any better (in that case using float or double/floating point math instead of a BigDecimal type).
Not filtering out characters that could be part of URL has no bearing on whether or not the site is properly protected from SQL injection. I’m much more often worried about sites that explicitly filter out certain characters because it likely means they don’t understand what they’re doing (similar to sites that insist on annual password changes).
The fact that people are arguing about this shows how much of an issue we have with education on this topic.
And yet injection is still #3 in the OWASP Top 10
Okay?
You make it sound as if it’s a thing of the past when it is still a common problem.
It’s a common problem for the same reason that it’s a common problem for people to have precision errors when doing math with currencies… People write the wrong code because they don’t know any better (in that case using float or double/floating point math instead of a BigDecimal type).
Not filtering out characters that could be part of URL has no bearing on whether or not the site is properly protected from SQL injection. I’m much more often worried about sites that explicitly filter out certain characters because it likely means they don’t understand what they’re doing (similar to sites that insist on annual password changes).
The fact that people are arguing about this shows how much of an issue we have with education on this topic.