
16 Mar
2007
16 Mar
'07
4:12 p.m.
Michael Walter wrote:
On 3/16/07, Jorge Lodos <lodos@segurmatica.cu> wrote:
Security is another reason to go away from sql queries as strings. Prevent SQL injection attacks.
You bind your parameters, you don't have any problems (except when this doesn't work, but then stored procedures don't help either).
Sure, but it is the programmer responsibility to bind the parameters instead of concatenating strings. Not using SQL strings avoids errors from programmers. What happens with many of the existing SQL injection attacks is that programmers didn't bind parameters even when they had the possibility to do so. Best regards Jorge