

How to deal with incompetence, I mean SQL injection - dnaquin
http://www.networkworld.com/news/2008/050108-autoweb.html

======
jrockway
The article seems to paint SQL injection attacks as though they're incredibly
hard to prevent and are thus unavoidable. Obviously, that's completely wrong.
You have to go out of your way to allow SQL injection.

The solution to SQL injection attacks is to hire programmers to write your
application, not bums off the street. What a concept.

(There is one case where I'll forgive the developers; a while back there was a
MySQL library bug that let bind variables inject SQL in certain cases. That's
not the fault of the app developer, and it was fixed with a library update.)

------
okeumeni
Fire the folks in charge.

SQL injection vulnerability is a sign of poor process design and weak
programming.

~~~
Prrometheus
What do you have to do besides escaping special characters in input fields?

~~~
jfornear
Everytime SQL injection comes up everyone says how easy it is to prevent with
one line of code, and then no one ever shares that one line!

From Wikipedia: Using Parameterized Statements Parameterized statements use
parameters (sometimes called placeholders or bind variables) instead of
embedding user input in the statement. In many cases, the SQL statement is
fixed. The user input is then assigned (bound) to a parameter. This is an
example using Java and the JDBC API: PreparedStatement prep =
conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?");
prep.setString(1, pwd);

~~~
okeumeni
Embedded SQL is poor programming period!

