Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

Re: Detect SQL injection

by mpeppler (Vicar)
on Aug 15, 2010 at 07:41 UTC ( #855130=note: print w/replies, xml ) Need Help??

in reply to Detect SQL injection

With Sybase, one of the best ways that I've found to avoid any risk of SQL Injection is to mandate the use of stored procedures, and to always use RPC semantics when calling the stored procedures rather than language commands.

This means that there is no parsing of the input parameters (other than ensuring that they match with the parameter's datatypes), so any text that is passed in for a particular parameter can never be executed.

Another advantage (on large systems) is that the procs encapsulate all the SQL, making it a lot easier to find offending (badly performing) queries, and tuning them independently of the client code.

I realize that this isn't always practical, but once everyone in the team knows how this works it's actually quite efficient, in particular on large systems (200+ developers, several thousand tables, three million+ lines of SQL code...)


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://855130]
[atcroft]: james28909: That particular questions was a bit of trick, actually (depending on the country you are in). More interesting is, if you are trying to subtract from an epoch time, for instance, you might have to consider when/if DST occurs for a location,
[atcroft]: because you may have to adjust the number of seconds you change from an epoch from 86400 (not to mention leap seconds)....
[atcroft]: james28909: Although if your program is using a database, you might be able to "pass the buck" to the database and ask it to do the date change for you....
[stevieb]: ++ atcroft

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (2)
As of 2017-04-29 04:40 GMT
Find Nodes?
    Voting Booth?
    I'm a fool:

    Results (531 votes). Check out past polls.