[WEB SECURITY] Stored Procedures Vs. Simple String Concatenation When Protecting Against SQL injections
Stefano Di Paola
stefano.dipaola at wisec.it
Tue Sep 12 14:51:19 EDT 2006
In stored procedures, parameters have to be sanitized too...think about
oracle sql injections on stored procedures..
Anyway, prepared statements are a good alternative to parameter
sanitization from within your code.
In particular,
prepared statements are a SQL paradigm (where implemented..).
On Mysql (http://dev.mysql.com/doc/refman/5.0/en/sqlps.html ):
On php, have a look at (mysqli)
http://www.php.net/manual/en/function.mysqli-prepare.php
On J2EE J2SE,
http://java.sun.com/j2se/1.4.2/docs/api/java/sql/PreparedStatement.html
On .Net, surely you can google :)
What is the difference?
Your parameter sanitization could be too kind...better to let your DBMS do what it knows
very well...
Well if you want you could do your checks, too.
regards
Stefano
On mar, 2006-09-12 at 12:04 -0400, Schmidt, Albert E wrote:
> What advantages are there when using stored procedures Vs. simple string
> Concatenation When Protecting Against SQL injections?
>
..oOOo...oOOo...
Stefano Di Paola
Software Engineer
Web: www.wisec.it
................
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list