
The History of SQL Injection - kawera
http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away
======
craigvn
I am sure there is a lot of code out their vulnerable to SQL Injection, namely
ASP code. But I have never seen anyone write new code that way for years. I
think it is written about so much mainly because it is easy to explain to non-
techies.

~~~
anonymousDan
From yesterday:
[https://news.ycombinator.com/item?id=10619578](https://news.ycombinator.com/item?id=10619578)

~~~
singold
I get a 404 from the page posted there, what was it?

~~~
teh_klev
This:

[https://archive.is/8z5yZ](https://archive.is/8z5yZ)

------
billpg
"Another is to “use SQL libraries that take care of input sanitization for
them,” Al-Bassam suggested. This, in short, scrubs any data entered by the
user to remove any potential malicious parts of it."

This is bad advice. Some people have apostrophes in their name. Deal with it.

Shameless plug: [http://blog.hackensplat.com/2013/09/never-sanitize-your-
inpu...](http://blog.hackensplat.com/2013/09/never-sanitize-your-inputs.html)

~~~
seanwilson
Pretty sure he would have meant sanitization as in escaping characters like
quotes and not just deleting quotes.

~~~
anton_gogolev
Escaping won't help. Parameterized queries all the way.

~~~
seanwilson
Sure, I really meant always use some library that will do whatever is needed
to pass potential unsafe characters over to SQL and that sanitization doesn't
mean you have to delete these characters. Obviously relying on yourself to
properly escape everything is going to fail.

