Matthew Bosworth wrote: > > On Aug 23, 2007, at 1:31 AM, Tracy R Reed wrote: >
[r.e. sql-injection attack] > > All of that said, I'm not sure that parameterized statements nor > prepared statements really fix SQL injection attacks. Consider : > > SELECT * FROM users WHERE name = ?; > > now, imagine that the input name is : > Fred; DELETE * FROM users > > So the short version is -- make sure whatever library you use to do > parameterized statements does a good job of cleaning the input. If I > knew PHP I might have a suggestion, but I don't, so I don't. No. The prepared statement is NOT vulnerable to what you suggest, and that is exactly why it should be used. In your example, the name variable containing a string with an attemped SQL injection is simply passed as positional parameter #1 into a precompiled query. The SQL statement itself is NOT re-parsed. The value may cause the query to fail and generate an error or may simply cause it to return indicating no such name "Fred; DELETE * FROM users" was found. The attempted injection fails because it's just part of the variable. See http://www.unixwiz.net/techtips/sql-injection.html Dave Looney -- All right, we are two nations. - John Dos Passos, U.S.A. -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
