[thelist] Avoiding SQL Injection

Matt Warden mwarden at gmail.com
Mon Mar 21 17:35:17 CST 2005

On Tue, 22 Mar 2005 09:04:00 +1100, Ken Schaefer <Ken at adopenstatic.com> wrote:
> I am surprised that the use of prepared statements and parametised queries
> has not been brought up.
> There are numerous ways to either (a) inject SQL or (b) finger print a
> database via error codes. Attempting to sanitise bad input is, in the final
> analysis, a losing battle. Instead, the use of parametised queries is the way
> to avoid SQL injection. You are putting the burden of avoiding SQL Injection
> onto your data access technology, rather than attempting to come up with your
> own algorithms.

I would not say that using prepared statements just to avoid SQL
injection is a good idea. One is introducing quite a performance hit
if the statement is only going to be executed once.

What is so wrong with validating user input and restricting database
user permissions? Is there a case you can think up that would still
get by these input-cleaning functions? Why is it a losing battle?

Matt Warden
Miami University
Oxford, OH, USA

This email proudly and graciously contributes to entropy.

More information about the thelist mailing list