WebApp Sec mailing list archives
Fwd: Re: Intresting case of SQL Injection
From: "George W. Capehart" <gwc () acm org>
Date: Sat, 6 Dec 2003 11:40:36 -0500
FYI, Thought this thread might be of interest to the list. It can be accessed from the bugtraq archives on SecurityFocus. /g ---------- Forwarded Message ---------- Subject: Re: Intresting case of SQL Injection Date: Fri, 05 Dec 2003 22:18:30 +0100 From: Florian Weimer <fw () deneb enyo de> To: "Scovetta, Michael V" <Michael.Scovetta () ca com> Cc: "Martin Sarsale (runa@sytes)" <runa () runa sytes net>, bugtraq () securityfocus com Scovetta, Michael V wrote:
I've run into this, and my solution for MSSQL was to use Java PreparedStatements).
Unfortunately, there appears to be a misconception surrounding Java prepared statements. Many developers assume that the only reason to use them is performance, and are extremely reluctant to switching (even if the application architecture would allow for that with a reasonable delevelopment effort). I believe that the relative fragility of database gateways written in PHP is a result of the late availability of higher-level database interface libraries (comparable to JDBC or Perl's DBI) and thus the large amount of hand-written SQL statement generation code. ------------------------------------------------------- -- George Capehart "I'd rather have a bottle in front of me than a frontal lobotomy." -- Unknown
Current thread:
- Fwd: Re: Intresting case of SQL Injection George W. Capehart (Dec 06)