Explain why tainted data is bad

[petdance]

From Steve Davis [email protected]

Hey Andy,

Thanks for your bobby-tables page and language examples.

I see your todo list includes “explain why creating code from outside data is bad” and am wondering when you are going to get to that.

I definitely understand the problem of SQL injection having had one of my early sites injected and then a crude “pay me or I will show you more of your data” attempt. However I don’t understand “why creating code from outside data is bad” or even what you mean exactly.

So a rundown on the whole thing and how pg_query_params prevents injection would be excellent.

Thanks in advance

All the best

Steve