Kevin Hunter wrote:
What about an SQL injection bug that allows for increased privileges?
Um, web programming 101 is that you escape quotes on user-supplied
inputs. That ends SQL injection.
Pardon my naivete (I'm fairly new to web/DB programming) . . . is this
the current standard method of protection from SQL injection? How
does it compare to SQL preparation with bound variables?
When you use SQL Prepared statements it is normal for the db driver to
escape out the variables for you. Well at least it is in PHP, I can't
say for other systems.
Kevin
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster
