Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

Re: Preventing SQL injection attacks: are -T and placeholders not enough?

by Errto (Vicar)
on Jan 09, 2008 at 19:23 UTC ( #661467=note: print w/ replies, xml ) Need Help??


in reply to Preventing SQL injection attacks: are -T and placeholders not enough?

This may be stating the obvious, but placeholders are only guaranteed effective when the SQL itself is completely static or, at the very least, is assembled from components that are themselves completely static - that is, no user-supplied data enters the SQL string itself in any way.

I bring this up because there may be situations where some portion of the statement (for ex. a column name) needs to be dynamically determined based on inputs. Such situations definitely require extra care. Also, it helps to emphasize the contrast with certain technologies (*cough* PL/SQL *cough*) that have less than full support for placeholders :)


Comment on Re: Preventing SQL injection attacks: are -T and placeholders not enough?
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough?
by Juerd (Abbot) on Jan 09, 2008 at 22:16 UTC

    Fortunately, non-static SQL is often a sign of evil database design :)

      Oddly, however, knowing that your database design is evil doesn't necessarily help you write more secure code for it. ;-)



      If God had meant us to fly, he would *never* have given us the railroads.
          --Michael Flanders

        ++ :)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://661467]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (12)
As of 2014-08-22 12:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (156 votes), past polls