WebApp Sec mailing list archives
Re: SQL Injection Basics
From: Dejan Bosanac <dejanb () datagate co yu>
Date: Tue, 11 Feb 2003 09:13:22 +0100
The only issue with prepared statements is that if you use them, you lose compatibility with different database systems.
Regards, Dejan Robert Nilsen wrote:
I might be missing the point here (and surely it must have been posted/explained before), but in my world, the safest way to do SQL is through prepared statements, a.k.a. bind variables/paramenters whenever someone out in the client segment has "touched" the input. Rule number one must always be to never thrust the client! And being sloppy just once with validation could mean the end of your data = not putting focus on security! By using prepared statements, the code is safer AND, in most cases, the next run will execute quicker. -Robert
Current thread:
- RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Dave Aitel (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)