On Sat, 12 Sep 2020 11:45:33 +0100, Andy Burns wrote:

> If you think those mitigate SQL injection attacks you are badly
> mistaken.  Your code could use a fixed query string referencing
> @variables which are initialised with the values passed.
>
Is that the same as a prepared statement, as used by JDBC or (IIRC) ODBC
interface modules? Prepared statements are designed specifically to
protect your database against injection attacks

If your DBMS supports database procedures, using them is also a good way
to avoid injection attacks.

For private projects I've pretty much standardised on using PostgreSQL
because its very stable and has excellent self-managing capability,
including the ability to handle database changes associated with new
software versions. I always update tables via JDBC using prepared
statements, but tend to retrieve data via views when using less secure
scripted languages, e.g. Perl.


--
Martin    | martin at
Gregorie  | gregorie dot org

--- SoupGate-Win32 v1.05