SQL injection attacks

Comments

[gravatar]
Damian Cugley 6:47 AM on 8 Jan 2005
Also has to be said that if you must generate programming-language statements on the fly, then you need to convert strings in to string literals anyway. For SQL this means doubling up all the apostrophes (in case someone's log-in name is o'reilly), and then SQL injection should not be possible...

My preference has always been for the application to do all its work via stored procedures; you can then give the database user the applciation connects as no INSERT or UPDATE privileges at all.

Add a comment:

Ignore this:
Leave this empty:
Name is required. Either email or web are required. Email won't be displayed and I won't spam you. Your web site won't be indexed by search engines.
Don't put anything here:
Leave this empty:
Comment text is Markdown.