On Tue, 22 Mar 2005 09:04:00 +1100, Ken Schaefer <Ken at adopenstatic.com> wrote: > I am surprised that the use of prepared statements and parametised queries > has not been brought up. > > There are numerous ways to either (a) inject SQL or (b) finger print a > database via error codes. Attempting to sanitise bad input is, in the final > analysis, a losing battle. Instead, the use of parametised queries is the way > to avoid SQL injection. You are putting the burden of avoiding SQL Injection > onto your data access technology, rather than attempting to come up with your > own algorithms. I would not say that using prepared statements just to avoid SQL injection is a good idea. One is introducing quite a performance hit if the statement is only going to be executed once. What is so wrong with validating user input and restricting database user permissions? Is there a case you can think up that would still get by these input-cleaning functions? Why is it a losing battle? -- Matt Warden Miami University Oxford, OH, USA http://mattwarden.com This email proudly and graciously contributes to entropy.