

How to Write Injection-Proof SQL - mixmax
http://www.schneier.com/blog/archives/2008/10/how_to_write_in.html

======
tptacek
62 pages. For comparison, let's look at the simple rule you need to follow to
avoid buffer overflows:

Count.

Buffer overflow cost so far to the industry? In the billions, at least:
companies buy hundreds of millions of dollars of products every year as
countermeasures against them. And that's for a bug whose fix can be described
in one word.

~~~
utnick
The article is about sql injection not buffer overflows.

But the advice is also simple: 99% of the problems are solved by using
parameterized queries ( pretty much every language/db library has them )

~~~
scott_s
You missed his point.

Preventing buffer overflows is simple and well understood, yet it's still a
problem. Preventing SQL injection is not as simple.* He's pointing out that if
we have big problems even in the presence of simple solutions, we'll have even
worse problems with not as simple solutions.

*Your solution might be "simple," but it's still more complicated that making sure you don't overrun your buffer.

~~~
utnick
ah yes, good catch

I misread that

------
ScottWhigham
Correct title is "How to Write Injection-Proof PL/SQL"

------
nihilocrat
Another instance of xkcd seen in a "serious" context: page 14.

