

Ask HN: Safety from SQL injection? - stcredzero

Which web application environments offer the best safety against SQL injection?  (Or equivalent in NoSQL databases)  How is this claim justified?  Is it through dataflow analysis, whitelisting, rewriting?  Do people have comparative experiences?
======
bartonfink
My understanding is that most drivers allow for a parameterized statement,
which escapes quotes and otherwise makes SQL "safe" for database consumption.
I've used those everywhere I've interacted with a database and have never
heard an argument against it.

Of course, I've also never worked in a place that allowed stored procedures so
I may be missing out on an advantage there.

~~~
stcredzero
So avoid anything that doesn't use parameterized SQL statements.

~~~
bartonfink
Yup. And, if you're writing anything that talks to a database, use a
parameterized statement (sometimes called a prepared statement) instead of
just concatenating strings. You will blow it if you concatenate strings and
that's what we call SQL injection.

------
papaf
People have answered you question well enough here but for general questions
about web application security I recommend OWASP. Here's the section on SQL
injection:

<http://www.owasp.org/index.php/SQL_Injection>

------
bdfh42
Using database stored procedures to retrieve or store data and passing any
value that comes from the client process (user entered or not) via a parameter
to those stored procedures (rather than constructing an SQL statement from
strings) will deal with the problem in every database I have worked with
(assuming stored procedures and variable parameters).

Justification? That's just how you guard against SQL injection attacks.

