Fighting Code Injections
uDBA
protection
ØEnd users should not see administration tools.
uUI
protection
ØUser input should always be passed via bind
variables (no concatenation!).
§Bind
variables cannot affect the structure of the query.
ØAll structural selections should be done from a limited
list of options (repository)
§Power users/developers populate the repository.
§End users only access whatever is already in the repository.