Re: Preventing SQL injection attacks: are -T and placeholders not enough?

in reply to Preventing SQL injection attacks: are -T and placeholders not enough?

This may be stating the obvious, but placeholders are only guaranteed effective when the SQL itself is completely static or, at the very least, is assembled from components that are themselves completely static - that is, no user-supplied data enters the SQL string itself in any way.

I bring this up because there may be situations where some portion of the statement (for ex. a column name) needs to be dynamically determined based on inputs. Such situations definitely require extra care. Also, it helps to emphasize the contrast with certain technologies (*cough* PL/SQL *cough*) that have less than full support for placeholders :)

Comment on Re: Preventing SQL injection attacks: are -T and placeholders not enough?

Replies are listed 'Best First'.
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by Juerd (Abbot) on Jan 09, 2008 at 22:16 UTC
Fortunately, non-static SQL is often a sign of evil database design :)	[reply]
Re^3: Preventing SQL injection attacks: are -T and placeholders not enough? by ChemBoy (Priest) on Jan 10, 2008 at 20:37 UTC
Oddly, however, knowing that your database design is evil doesn't necessarily help you write more secure code for it. ;-) If God had meant us to fly, he would never have given us the railroads. --Michael Flanders	[reply]
Re^4: Preventing SQL injection attacks: are -T and placeholders not enough? by Juerd (Abbot) on Jan 10, 2008 at 21:43 UTC
`++ :)`	[reply] [d/l]

In Section Seekers of Perl Wisdom