Hacker News new | past | comments | ask | show | jobs | submit login

the idea that NASDAQ might've been hacked using an SQL injection is pretty scary, as it's a pretty trivial attack to protect against in most cases (mysql_real_escape_string?) - is security in stock exchanges really so lax?

mysql_real_escape_string is not the right answer. The only way to prevent SQL injection attacks is to use bind variables.

mysql_real_escape_string isn't secure. AT ALL.

How so? The function does what it's supposed to do. Of course you still have to write the rest of the SQL statement to make use of the escaped input - put all params in quotes (or much better: use prepared statements to begin with).

This would be a perfect example of why SQL injections are so common: toolchains aren't secure (or even securish) by default -- and it isn't clear that this is the case.

Anyone not using prepared statements in 2013 is just being stupid - there is no reason to ever be vulnerable to a SQL injection, barring a bug in the database or driver you are using. It's totally unacceptable.

it is when used correctly within quotes (and used with common charsets, but that's a different story altogether). There is no publicly known way to inject the following when the database is encoded in ISO-8859-1 or UTF-8:

"SELECT ... WHERE `field_name` = '" . mysql_real_escape_string($string_value) . "'";

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact