On 1 September 2010 13:38, Sam Lai <[email protected]> wrote: > Out of curiosity (it isn't Friday yet, but close enough) - does > parameterized SQL render all SQL injection attack techniques useless? >
Yes, with the single (AFAIK) exception of particularly special people who take the input on the stored procedure side, assemble it into dynamic SQL, and then EXECUTE @Statement it in T-SQL. If so, why do we still hear of successful SQL injection attacks, > particularly in relatively newly written apps? > People do not think about quality or maintenance. A lack of education/knowledge, ignorance, the curse of PHP developers... > I would not single out PHP developers for this. -- *David Connors* | [email protected] | www.codify.com Software Engineer Codify Pty Ltd Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 363 V-Card: https://www.codify.com/cards/davidconnors Address Info: https://www.codify.com/contact
