Den 2020-09-12 kl. 13:35, skrev Martin Gregorie:
> Is that the same as a prepared statement, as used by JDBC or (IIRC) ODBC
> interface modules? Prepared statements are designed specifically to
> protect your database against injection attacks

I don't think so. Prepared statement has been around longer than the
web-form. Prepared statements are used if you don't want the database to
create a new execution path every time you execute a statement where
only the parameters are changed. For at least Oracle, it is a way to
keep the statement in the SGA cache. It is all about performance.
That it is safer for webforms may be good - but not the reason it exists


"PREPARE creates a prepared statement. A prepared statement is a
server-side object that can be used to optimize performance."


When I started coding professionally I learned that PREPARE is the way
to go - no concatenating strings to a statement. This was in 1997.
The code base suggest that Sql.Prepare in our sql module had been around
for many years already then.



> If your DBMS supports database procedures, using them is also a good way
> to avoid injection attacks.

And then you have a hard time to switch database.
Keep business logic in code and traceability in triggers.
At least I find that to be a sound principle.

--
Björn

--- SoupGate-Win32 v1.05