On Wed, Sep 1, 2010 at 2:14 PM, David Connors <[email protected]> wrote: > On 1 September 2010 13:47, silky <[email protected]> wrote: >> >> It's hard to blame the programmers totally for this, as it's almost >> always a business issue that has lead to the poor implementation >> (security not being a priority). > > I don't know that it is fair to say it is 'almost always a business issue'. > I don't think it really takes much more time to write a parameterised stored > procedure that does not execute SQL versus sticking strings together in a > haphazard/dodgy fashion. > Developers should step up and take responsibility and pride in the quality > of the work they produce IMNSHO. >
I know that in our case we're using non-parameterised queries because another programmer wrote a (otherwise) rather useful framework that handled other database issues, including hitting multiple databases and joining the results together. That framework is now in our "common" utilities, as is my QuoteString which is our only SQL injection defence :-( So far it's only caused SQL syntax errors when particularly curly Unicode is submitted. > -- > David Connors | [email protected] | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact > -- Regards, Mark Hurd, B.Sc.(Ma.)(Hons.)
