

Ask HN: What do you do to avoid SQL injection attacks? - joubee

I've been looking at SQL injection recently and was interested to know what other developers do to prevent these attacks.<p>Does anyone have anything to add?
1. Use dynamic SQL if and only if there is no other alternative<p>2. Escape user input always<p>3. Always assume magic quotes is off<p>4. Install security updates and patches regularly<p>5. Remove all the dead SQL's or other codes that you don't use<p>6. Never display the system defined error message for SQL errors<p>7. Store database credentials in a separate file<p>8. Use the principle of least privilege<p>9. Disable shells<p>10. Use SQL injection Hack tools to check vulnerabilities
======
benologist
Parameterized queries - gist of it is it stops you _concatenating_ a bunch of
your and their strings together to form your SQL statement.

~~~
joubee
codinghorror.com: Give me parameterized SQL, or give me death

[http://www.codinghorror.com/blog/2005/04/give-me-
parameteriz...](http://www.codinghorror.com/blog/2005/04/give-me-
parameterized-sql-or-give-me-death.html)

I have fairly strong feelings when it comes to the stored procedures versus
dynamic SQL argument, but one thing is clear: you should never, ever use
concatenated SQL strings in your applications. Give me parameterized SQL, or
give me death. There are two good reasons you should never do this.

[I need to spend some time looking at this - tyvm benologist]

------
village88
Agree with all the statements above. We use Active Record for CodeIgniter or
ORM Datamapper and stay away from writing manual queries.

------
ZephyrP
I wrote my own database.

<http://zv.github.com/artifact/>

------
AznHisoka
I used Ruby activerecord and don't write manual queries.

