hmm, he says sql injection can be prevented by multiple ways.. then goes on to say it can be prevented by prepared statements and also input validation. of course developers should be doing “input validation” but do we really want developers to try and build white lists to prevent sqli? i think not! there is only one sure way to prevent sqli and thats bound parameters.

Comment by bsdwiz — August 3, 2012 @ 12:41 am

@bsdwiz: Sometimes you can’t always bind parameters. For example if you are taking a user-provided value and passing it into an ORDER BY or a LIMIT or even a table name. In that case, a whitelist should be used to ensure the parameter is numeric or matches a value in a predefined list. I think queries like these should be refactored entirely, but developers often don’t want to do that.

Comment by Chris Eng — August 3, 2012 @ 10:47 am

You have to use a combination of techniques, anything can be defeated if you work at it hard enough. The idea behind defeating sqli isn’t that it isn’t hack proof although that is what “we” as developers hope for, rather that we make it expensive enough in time and resources that the potential hacker goes elsewhere or is caught in the attempt.

I see alot of comments about developers on many sites, the thing I will say is this, yes – some developers have bad coding habits. However; often times it is not the developer, rather real world issues around scheduling, and resources which cause the most impact. The developer would love to refactor the queries unfortunately as much we hop up and down about sqli the business will often ignore warnings until the bottom line is impacted. Until the dynamic of what can be safely ignored in order to make the most is changed this will always leave a road open for the would be hacker.

Comment by Dave H — August 21, 2012 @ 8:20 am