[thelist] Avoiding SQL Injection
Matt Warden
mwarden at gmail.com
Mon Mar 21 17:35:17 CST 2005
On Tue, 22 Mar 2005 09:04:00 +1100, Ken Schaefer <Ken at adopenstatic.com> wrote:
> I am surprised that the use of prepared statements and parametised queries
> has not been brought up.
>
> There are numerous ways to either (a) inject SQL or (b) finger print a
> database via error codes. Attempting to sanitise bad input is, in the final
> analysis, a losing battle. Instead, the use of parametised queries is the way
> to avoid SQL injection. You are putting the burden of avoiding SQL Injection
> onto your data access technology, rather than attempting to come up with your
> own algorithms.
I would not say that using prepared statements just to avoid SQL
injection is a good idea. One is introducing quite a performance hit
if the statement is only going to be executed once.
What is so wrong with validating user input and restricting database
user permissions? Is there a case you can think up that would still
get by these input-cleaning functions? Why is it a losing battle?
--
Matt Warden
Miami University
Oxford, OH, USA
http://mattwarden.com
This email proudly and graciously contributes to entropy.
More information about the thelist
mailing list