
SQL Is Insecure - tkellogg
http://timkellogg.me/blog/2016/12/24/sql-is-insecure
======
Artemix
I think the main problem is about the way govt & medicine requires system,
instead of building something with some precises requirements, they mainly
want something that just "works". Prepared statements have been around for a
long time but main developments groups that are liked by governments still
base their codes on old habits. In france, in the PACA region we have a
centralized network that have been built last year by the same team as always.
Not only the frontend is completely outdated (not even respecting HTML3
rules), the backend is rigged with bugs and flaws and the SQL database and the
LDAP are pretty much completely open to people with a bit more skills that the
average professor or student.

~~~
Artemix
Edit: I forgot to add: The systems they are using are mainly completely
outdated systems and there is almost only string concatenation for request
building, didn't see any prepared statements.

