On Wed, Sep 1, 2010 at 1:38 PM, Sam Lai <[email protected]> wrote:
> Out of curiosity (it isn't Friday yet, but close enough) - does
> parameterized SQL render all SQL injection attack techniques useless?
The answer depends on how you use your data; i.e. context. Typically
the answer would be "Yes", but then someone may say "but this
parameter here, that is a string, I actually take this and call 'exec
('select ' + foo + ' ...')' and obviously, there is an issue there.
> If so, why do we still hear of successful SQL injection attacks,
> particularly in relatively newly written apps?
Depends on the context really. It's hard to refute a general
statement. You'll need to be specific about where you see SQL
injection in a framework where SqlParameters, or equivelant, and being
used, and everything is typed correctly and so on.
> A lack of education/knowledge, ignorance, the curse of PHP developers...
It's hard to blame the programmers totally for this, as it's almost
always a business issue that has lead to the poor implementation
(security not being a priority). I do see some developers that have a
poor attitude to security (I can't count the number of arguments I've
been in as to the validity of using MD5 *still*, it's been dead for so
long now), but in general I think people do care, but it needs to be
easy for them to do it. Until "security" is considered a neccessity;
i.e. handling data and context correctly, you'll see these problems.
--
silky
http://dnoondt.wordpress.com/
"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."
