It seems to me that if you use dynamic sql, you are bound to get
injection attacks unless you are always careful, and you are not
*always* going to be careful. So if you use dynamic sql, will always
get injection attacks.
If you use mysqli and stored procedures, and *never* use dynamic sql,
then you will not get injection attacks.
So don't use dynamic sql.
Mysqli needs an option to turn off run time parsing altogether - that is
to say, to turn off the unnecessary and dangerous mysqli::query, which
is the cause of most sql injection attacks.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
