in reply to Preventing SQL injection attacks: are -T and placeholders not enough?
This may be stating the obvious, but placeholders are only guaranteed effective when the SQL itself is completely static or, at the very least, is assembled from components that are themselves completely static - that is, no user-supplied data enters the SQL string itself in any way.
I bring this up because there may be situations where some portion of the statement (for ex. a column name) needs to be dynamically determined based on inputs. Such situations definitely require extra care. Also, it helps to emphasize the contrast with certain technologies (*cough* PL/SQL *cough*) that have less than full support for placeholders :)
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough?
by Juerd (Abbot) on Jan 09, 2008 at 22:16 UTC | |
by ChemBoy (Priest) on Jan 10, 2008 at 20:37 UTC | |
by Juerd (Abbot) on Jan 10, 2008 at 21:43 UTC |
In Section
Seekers of Perl Wisdom