WebApp Sec mailing list archives
Re: SQL Injection Basics
From: Dirk Gomez <dirk () dirkgomez de>
Date: 11 Feb 2003 00:57:57 +0100
I might be missing the point here (and surely it must have been posted/explained before), but in my world, the safest way to do SQL is through prepared statements, a.k.a. bind variables/paramenters whenever
Of course! Pasting variables into SQL statement will always leave a door wide open for SQL injection. It's a bit more work in the very beginning, but once the framework is in place using bind variables should be straight-forward. Not only are bind variables safe, but at least for Oracle it is also the only way to end up with a scalable database-backed web application.
Current thread:
- SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Dave Aitel (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Loki (Feb 09)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)