

Six ways to protect yourself from SQL Injection - MattBearman
http://www.mattbearman.co.uk/2011/03/29/six-ways-to-protect-yourself-from-sql-injection/

======
redredraider
If you sanitize every input then I think you will be ok. You just have to get
in the habit of always running your safe() function on every variable that
comes in a POST or GET. I would also make sure that SQL errors don't return
anything. The page should just die. Automated scripts testing inputs look for
error messages.

------
spooneybarger
And the number one way... don't use a sql database. I worked with an object
database for a couple years and not having to think about sql injections while
coding was really nice.

~~~
nbpoole
Right, because there aren't any similar vulnerabilities that affect NoSQL
databases... ;)

[http://www.idontplaydarts.com/2010/07/mongodb-is-
vulnerable-...](http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-
to-sql-injection-in-php-at-least/)

~~~
spooneybarger
Hey, it isn't a sql injection.

------
mooism2
Use placeholders in prepared statements. "Sanitising" your input, banning
magic words etc is hacky and fragile by comparison.

~~~
MattBearman
I said in my article someone would show me a better way and this is it - I'd
never seen prepared statements before now, but you can bet I'll be using them
from now on.

For anyone else who isn't sure what they are: prepared statements involves
sending a template style query and parameters to the SQL api separately, eg:

query template: "select * from users where username = ?"

Parameter: "Matt"

The SQL api knows that one is a query and one is just a parameter so injection
is impossible

