WebApp Sec mailing list archives

Re: SQL Injection Basics

From: Dirk Gomez <dirk () dirkgomez de>
Date: 11 Feb 2003 00:57:57 +0100

I might be missing the point here (and surely it must have been
posted/explained before), but in my world, the safest way to do SQL is
through prepared statements, a.k.a. bind variables/paramenters whenever


Of course! Pasting variables into SQL statement will always leave a door wide
open for SQL injection.

It's a bit more work in the very beginning, but once the framework is in place
using bind variables should be straight-forward.

Not only are bind variables safe, but at least for Oracle it is also the only
way to end up with a scalable database-backed web application.

Current thread:

SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
  - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - Re: SQL Injection Basics Dave Aitel (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Taco Fleur (Feb 10)
    - RE: SQL Injection Basics Robert Nilsen (Feb 10)
    - Re: SQL Injection Basics Dirk Gomez (Feb 10)
    - RE: SQL Injection Basics Keith Smith (Feb 10)
    - Re: SQL Injection Basics Kevin Spett (Feb 10)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Dirk Gomez (Feb 11)
    - Re: SQL Injection Basics Dejan Bosanac (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)

(Thread continues...)