The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx"If you have a difficult task, give it to a lazy person - they will find an easier way to do it." -Hlade's Law Whenever I am asked why something should be done "a certain way," the answer at the front of my mind usually begins, "Laziness. This is theenCommunityServer 2007 SP1 (Build: 20510.895)Laziness is next to Godliness?http://weblogs.asp.net/erobillard/pages/3801.aspx#7261618Fri, 20 Nov 2009 14:53:35 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:7261618Loosely CoupledLoosely Coupled<p>Laziness is next to Godliness?</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=7261618" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#7226692Sat, 10 Oct 2009 10:41:34 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:7226692Jed HunsakerJed Hunsaker<p>I&#39;ve been trying to make this lazy vs. efficient argument forever! Glad to see someone else is on the same page as me :)</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=7226692" width="1" height="1">re: ASP.NET Request Validation and Cross-Site Scriptinghttp://weblogs.asp.net/erobillard/pages/3801.aspx#82602Tue, 02 Mar 2004 13:38:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:82602TrackBackTrackBack<img src="http://weblogs.asp.net/aggbug.aspx?PostID=82602" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#76292Thu, 19 Feb 2004 14:06:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:76292Eli RobillardEli RobillardBefore anyone else bothers to post refinements to the code in this article, note that the point of the article is an approach to code construction. The point is not to provide best practises to prevent cross-site scripting or SQL injection attacks. The code samples describe progressively lazier solutions to a given problem; they exist only to illustrate the concept. <img src="http://weblogs.asp.net/aggbug.aspx?PostID=76292" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#72944Sat, 14 Feb 2004 12:32:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:72944MarkMarkLong range lazyness... fantastic turn of phrase!<img src="http://weblogs.asp.net/aggbug.aspx?PostID=72944" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#70484Tue, 10 Feb 2004 08:14:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:70484stefan demetzstefan demetzonly for scripts with angle bracktes , not for sql injection, param tampering et all<img src="http://weblogs.asp.net/aggbug.aspx?PostID=70484" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#67354Wed, 04 Feb 2004 14:04:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:67354Eli RobillardEli Robillard&gt; it would be good if MS built in this input data cleansing in all input controls <br> <br>They have! See the link at the end of the article on the RequestValidation feature. It checks GET or POST data for malicious content. <br> <br>-e.<img src="http://weblogs.asp.net/aggbug.aspx?PostID=67354" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#66931Tue, 03 Feb 2004 23:47:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:66931stefan demetzstefan demetzit would be good if MS built in this input data cleansing in all input controls <img src="http://weblogs.asp.net/aggbug.aspx?PostID=66931" width="1" height="1">Hardening ASP.NET - avoid SQL injection (ouch !!) - Part 2http://weblogs.asp.net/erobillard/pages/3801.aspx#66928Tue, 03 Feb 2004 23:41:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:66928TrackBackTrackBack<img src="http://weblogs.asp.net/aggbug.aspx?PostID=66928" width="1" height="1">re: The Lazy Programmerhttp://weblogs.asp.net/erobillard/pages/3801.aspx#60009Mon, 19 Jan 2004 02:10:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:60009Eli RobillardEli RobillardTrue, and actually the username and password strings are not concatenated into SQL strings here. In fact, it never quite says exactly how they are used, only that they could carry malicious data. <br> <br>In general, parameterised SQL queries are the recommended way to build any query with optional or variable input. Aside from providing a level of protection against SQL injection, SQL Server is smart enough to use the same compiled version of a parameterised query repeatedly, it's an easy performance gain. <br> <br>A feature in ASP.NET 1.1 might be the laziest solution -- Request Validation. Read about it here: <a target="_new" href="http://www.asp.net/faq/RequestValidation.aspx">http://www.asp.net/faq/RequestValidation.aspx</a> <br>Note that a patch should be applied: <a target="_new" href="http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx">http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx</a> <br><img src="http://weblogs.asp.net/aggbug.aspx?PostID=60009" width="1" height="1">