undefined | Better HN

0 pointsvbezhenar8y ago0 comments

SQL injection is a problem with SQL, which is similar to problems with HTML. SQL was created as human-friendly query languages, it wasn't created to be built from strings in a programming language. Proper database API should be just a bunch of query builder calls and with this API SQL-injection is not possible.

0 comments

cm21878y ago

SQL injection is a problem with incompetent developpers. Most languages have simple constructs to make them immune to injections, like parameterized queries.

If you are exposing code to an untrusted, hostile environment (which is pretty much the web), no language that does anything useful will protect you against not caring about security.

DaiPlusPlus8y ago

Not all queries can be parameterised - I'm not aware of any DBMS that allows for the parametiersation of identifiers (e.g. table and column names) or variadic operators and clauses (e.g. IN() and optional predicate clauses), this is why "Dynamic SQL" is a thing - which comes with the inherent risk of SQL Injection.

cm21878y ago

There are many reasons to create SQL dynamically, but I can't think of a good reason for the table name to come from the client.

Even if you absolutely need to inject a string in a sql query, sanitizing it is trivial. In .net / MS SQL, a simple x = x.Replace("'","''") does the trick. For any other common data type, strong typing should be sufficient to prevent any injection.

olmo8y ago

Like LINQ

mike_hearn8y ago

Exactly.

j / k navigate · click thread line to collapse

0 pointsvbezhenar8y ago0 comments

0 comments

cm21878y ago

SQL injection is a problem with incompetent developpers. Most languages have simple constructs to make them immune to injections, like parameterized queries.

If you are exposing code to an untrusted, hostile environment (which is pretty much the web), no language that does anything useful will protect you against not caring about security.

DaiPlusPlus8y ago

cm21878y ago

There are many reasons to create SQL dynamically, but I can't think of a good reason for the table name to come from the client.

olmo8y ago

Like LINQ

mike_hearn8y ago

Exactly.

j / k navigate · click thread line to collapse