Beefy Boxes and Bandwidth Generously Provided by pair Networks Frank
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Preventing SQL injection attacks: are -T and placeholders not enough?

by Errto (Vicar)
on Jan 09, 2008 at 19:23 UTC ( #661467=note: print w/ replies, xml ) Need Help??


in reply to Preventing SQL injection attacks: are -T and placeholders not enough?

This may be stating the obvious, but placeholders are only guaranteed effective when the SQL itself is completely static or, at the very least, is assembled from components that are themselves completely static - that is, no user-supplied data enters the SQL string itself in any way.

I bring this up because there may be situations where some portion of the statement (for ex. a column name) needs to be dynamically determined based on inputs. Such situations definitely require extra care. Also, it helps to emphasize the contrast with certain technologies (*cough* PL/SQL *cough*) that have less than full support for placeholders :)


Comment on Re: Preventing SQL injection attacks: are -T and placeholders not enough?
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough?
by Juerd (Abbot) on Jan 09, 2008 at 22:16 UTC

    Fortunately, non-static SQL is often a sign of evil database design :)

      Oddly, however, knowing that your database design is evil doesn't necessarily help you write more secure code for it. ;-)



      If God had meant us to fly, he would *never* have given us the railroads.
          --Michael Flanders

        ++ :)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://661467]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2014-04-20 08:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (485 votes), past polls