[Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection
mohit.muthanna at gmail.com
Wed Apr 20 21:14:09 BST 2005
> As you know, blocking SQL injection with filters on characters is painful and
> not always successful. I got thinking about it and thought of an approach
Painful? That's just an excuse for being lazy. (No offense intended.)
Not always successful? ... I don't get this, why not?
There are a number of tools and libraries that will quite easily and
robustly handle quoting / escaping issues for you. E.g., perl's DBI
module handles all your quoting issues by way of prepared statements.
All it takes is a little forethought and a lot less laziness.
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
Full-Disclosure is hosted and sponsored by Secunia.