top | item 7936767

(no title)

ohwp | 11 years ago

I think it's still very easy to create injectable queries. Prepared statements are a good start but people still forget to escape everything.

For example:

  prepare("SELECT name FROM users WHERE country = ? ORDER BY " + unescapedVar, country);

So I wonder, is there any way to force programmers into writing secure queries (by not writing queries)? Is ORM the way to go?

discuss

unknown|11 years ago

[deleted]

Eiwatah4|11 years ago

Just generally, don't write SQL queries as strings. An ORM is one option, language-level extensions another. But for that you need some good macros in your language - or convince the maintainers of your compiler to add it to the language (like Microsoft did in C#).