

Protecting your MySQL database from SQL injection - nickb
http://www.linux.com/feature/145341

======
axod
"SQL injection attacks can allow hackers to execute arbitrary SQL commands on
your database through your Web site. To avoid these attacks, every piece of
data supplied by a user on a Web form, through HTTP Post or CGI parameters, or
other means, must be validated to not contain information that is not
expected."

This is just silly. There is a really simple way to prevent all SQL injection
- use parameterized sql.

~~~
pedalpete
I wasn't familiar with parameterized sql, but am looking closer now. Initial
searches are not providing much as a guide. Anybody have any good links to
resources?

The best I found was <http://www.codinghorror.com/blog/archives/000275.html>
but I'm hoping to get something that better describes what I should be doing
with parameterized sql.

Thanks

~~~
axod
Quick example in java:

PreparedStatement stmt = conn.prepareStatement("UPDATE accounts set
username=?, password=? where id=?");

stmt.setString(1, "foo");

stmt.setString(2, "bar");

stmt.setInt(3, 49);

stmt.executeUpdate();

As you see, very easy to do, and separates SQL from data.

------
zain
GreenSQL is interesting, but it just adds another layer of complexity and
another link in the chain. It might be useful to somewhat secure old code with
minimal dev work, but no programmer should depend on it, especially since
every single modern programming language offers secure methods to conduct
database queries.

------
simonw
Using a database proxy to defend against SQL injection reminds me of
<http://xkcd.com/463/>

~~~
SlowOnTheUptake
It reminded me of: <http://xkcd.com/327/>

------
pierrefar
A great "firewall" (in the figurative sense, not the technical sense) to
blanket block SQL injections and more:

<http://www.0x000000.com/index.php?i=567>

