By skoop
via thespanner.co.uk
Published: Jul 24 2007 / 07:18
I’ve been developing a system for a while now and it’s currently in the testing stage, I noticed that a SQL injection vulnerability had crept in. I was quite surprised because my filtering methods are generally quite good and I’ve not seen any SQL errors in the logs for quite some time. Luckly the site wasn’t live so I had plenty of time to see what was going on.
-
Styling Excel Sheets with Decorator and Strategy Patterns
-
To Grid or Not to Grid: Advantages and Disadvantages
-
parsing a sql-like dsl using parser combinators in scala
-
24 Informative Underground Flash Blogs
-
Spring Security For Real with Grails | Jayway Team Blog - Sharing Experience
-
Dynamic Programming with Lambda Expressions
Comments
jsmith8858 replied ago:
Escaping data is never the answer against SQL injection. Parameterized commands and/or stored procedures are. End of story.
mezmo replied ago:
I agree wholeheartedly with the statement that parameterized queries should always be used. But as has been suggested to me in several security seminars I've been to in the last couple of years, there are still ways of futzing with the inputs that could compromise your data even with the use of parameterized queries, so even using them it would still be considered a best practice to escape and sanity check your data as well.
jamesstaylor replied ago:
Amen!
Voters For This Link (10)
Voters Against This Link (2)