Bugtraq mailing list archives

Re: Intresting case of SQL Injection

From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 5 Dec 2003 22:18:30 +0100

Scovetta, Michael V wrote:

  I've run into this, and my solution for MSSQL was to use Java
PreparedStatements).


Unfortunately, there appears to be a misconception surrounding Java
prepared statements.  Many developers assume that the only reason to use
them is performance, and are extremely reluctant to switching (even if
the application architecture would allow for that with a reasonable
delevelopment effort).

I believe that the relative fragility of database gateways written in
PHP is a result of the late availability of higher-level database
interface libraries (comparable to JDBC or Perl's DBI) and thus the
large amount of hand-written SQL statement generation code.

Current thread:

Intresting case of SQL Injection Martin Sarsale (runa@sytes) (Dec 04)
- Re: Intresting case of SQL Injection Markus Fischer (Dec 05)
- <Possible follow-ups>
- Intresting case of SQL Injection Sys Sec (Dec 05)
  - Re: Intresting case of SQL Injection Nick FitzGerald (Dec 05)
- RE: Intresting case of SQL Injection Scovetta, Michael V (Dec 05)
  - Re: Intresting case of SQL Injection Florian Weimer (Dec 05)