Preventing SQL injection with stored procedures
Posted Jun 1, 2006 13:18 UTC (Thu) by mrshiny
In reply to: Preventing SQL injection with stored procedures
Parent article: SQL injection vulnerabilities in PostgreSQL
Right, place-holders in the prepared query will prevent injection attacks. But the same functionality is available for normal queries, so I guess I'm not seeing how "using stored procedures" is advisable. Really it comes down to "use prepared queries/procedure-calls". A developer who doesn't understand "use prepared queries" can't be trusted to make the leap to prepared queries for procedure calls.
to post comments)