cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ilya A. Kriveshko" <>
Subject Re: R: A case of SQL injection
Date Tue, 05 Nov 2002 15:05:28 GMT
Luca Morandini wrote:

>call me boring, but, wouldn't it be better using stored procedures over
>dynamic SQL ?
<quote from="MySQL Documentation">
  Our aim is to have stored procedures implemented in MySQL Server 
around version 5.0.

Not everyone uses $$$ DBs. We, the lowest common denominator, get offended
when not taken care of... :-)

As far as DB exploits go, IMO, prepared statements are the simplest and 
the most
reliable way to ensure security agains SQL injection. I think it should 
be a rule that
no piece of data ever gets cocatenated into an SQL query.
Using PreparedStatement.set<Type>() should be the only accepted way to 
do that.
The only strings that can be concatenated into a dynamic SQL query should
be SQL fragments that are declared locally in the source code. Anything 
short of
that would never pass a peer code review 'round these parts.

>It offers: SoC, code re-use, security, performance...
>Best regards,
>Luca Morandini
>     We are protected from the virus by Norton Antivirus Corporate Edition
>To unsubscribe, e-mail:
>For additional commands, email:

To unsubscribe, e-mail:
For additional commands, email:

View raw message