[WEB SECURITY] Stored Procedures Vs. Simple String Concatenation When Protecting Against SQL injections
Jeff Robertson
jeff.robertson at digitalinsight.com
Tue Sep 12 12:53:49 EDT 2006
Stored procedures are not the opposite of building SQL by string
concatenation.
Consider this:
void addCustomer(String firstname, String lastname) throws
SQLException {
String sql = "EXECUTE usp_addcustomer '" + firstname + "', '"
+ lastname + "'";
con.createStatement().execute(sql);
}
Code like this is fairly common, and just as insecure as if that was
"insert into customers".
The opposite of string concatentation is Prepared Statements aka "bind
parameters".
> -----Original Message-----
> From: Schmidt, Albert E [mailto:AES at ola.state.md.us]
> Sent: Tuesday, September 12, 2006 12:05
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Stored Procedures Vs. Simple String
> Concatenation When Protecting Against SQL injections
>
> What advantages are there when using stored procedures Vs.
> simple string Concatenation When Protecting Against SQL injections?
>
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list