Reply to post: Re: Languages don't 'sanitise input'...

Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed


Re: Languages don't 'sanitise input'...

There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input.

There *sort of* is.

Most SQL databases allow "prepared statements", in which the SQL command - sans data - is set up, and the data then supplied to it. This means that the parsing of command vs. data occurs long before the data turns up. Thus, once the data is applied, the DB will not confuse the two; SQL injection is obviated, even if the programmer "forgets" to sanitise the data.

Note, however, that the term "prepared statements" can be misused: I found a Python SQL library that promised prepared statements, but actually just used string formatting to create a simple statement. The result was that the library appeared to offer the protection I've outlined above, but actually didn't.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019