SQL injection attacks

Posted Apr 1, 2006 13:35 UTC (Sat) by holstein (guest, #6122)
In reply to: SQL injection attacks by dps
Parent article: SQL injection attacks

As other have pointed out, '1 OR 1=1' can be a valid password. Or at least, a validating routine for valid password should accept this; something like '1hotguys = 1' is a valid password...

So, input validation is not a silver bullet; it's just a step in the journey.

Using a stored procedure help because the data will be used just as it is: data. You can't turn the input in a variation of the execute query (at least, note easily). Of course, bad data could trigger other kind of problems (like, say, a buffer overflow attack on the RDBMS).

A for the syntax for placeholders in prepared statements, with the Perl DBI at least, the syntax is the same for every RDBMS. And having worked with MySQL, Oracle and SQLite with PHP, I don't recall having seen different syntax used; maybe it was because I was not using the 'direct' API (like mysql_xx, oc8_xx, etc.) but instead using abstraction layer, like PEAR DB. But if you are writing multiple database server application, I would guess that this is a 'sine qua none' condition. At least for me!