Preventing injection attacks with syntax embeddings

Software written in one language often needs to construct sen-tences in another language, such as SQL queries, XML output, or shell command invocations. This is almost always done using un-hygienic string manipulation, the concatenation of constants and client-supplied strings. A client can then supply specially crafted input that causes the constructed sentence to be interpreted in an unintended way, leading to an injection attack. We describe a more natural style of programming that yields code that is impervious to injections by construction. Our approach embeds the grammars of the guest languages (e.g., SQL) into that of the host language (e.g., Java) and automatically generates code that maps the embed-ded language to constructs in the host language that reconstruct the embedded sentences, adding escaping functions where appropriate. This approach is generic, meaning that it can be applied with rela-tive ease to any combination of host and guest languages

Haskell Server Pages - Functional Programming and the Battle for the Middle Tier

Haskell Server Pages (HSP) provide an easy way to create dynamic web pages and simplify the task of building middle tier components. This article gives an overview of HSP from a programmer's perspective. It includes examples of HSP in action and gives a precise description of translating HSP scripts into plain Haskell