Groups | Search | Server Info | Login | Register
Groups > comp.databases > #18897
| Path | csiph.com!news.swapon.de!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail |
|---|---|
| From | Lawrence D'Oliveiro <ldo@nz.invalid> |
| Newsgroups | comp.databases |
| Subject | Uncle Sam’s Had It Up To Here With “Unforgivable” SQL Injection Flaws |
| Date | Wed, 27 Mar 2024 00:00:08 -0000 (UTC) |
| Organization | A noiseless patient Spider |
| Lines | 20 |
| Message-ID | <utvni8$2e120$3@dont-email.me> (permalink) |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | 8bit |
| Injection-Date | Wed, 27 Mar 2024 00:00:08 +0100 (CET) |
| Injection-Info | dont-email.me; posting-host="c1659e28178125818ca1ec884133164b"; logging-data="2556992"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19HOmJSpT2/vXHpPLIPyAYh" |
| User-Agent | Pan/0.155 (Kherson; fc5a80b8) |
| Cancel-Lock | sha1:SobTQImeXBJjIH9/+w4Wcq1GRl8= |
| Xref | csiph.com comp.databases:18897 |
Show key headers only | View raw
We all know SQL injection attacks are an ongoing problem
<https://www.theregister.com/2024/03/26/fbi_cisa_sql_injection/>. What
interested me about this article is this part:
Software vendors have been advised to use parameterized queries
with prepared statements to mitigate SQL injection
vulnerabilities. According to the authorities, these allow
user-input data to be separated from SQL queries and "better
embody a secure by design approach" compared to input sanitization
techniques.
These are deployed by some vendors, but were branded "brittle" by
CISA and the FBI. They said they're also difficult to deploy on a
large scale and are more easily bypassed.
Funny, that. Every time I post examples of how I dynamically construct
SQL query strings with proper quoting of user input, I get yelled at
and told to use “parameterized queries” and “prepared statements”, or
even an ORM. Yet here we have the security experts saying that that is
not a good solution, just like I thought all along.
Back to comp.databases | Previous | Next | Find similar
Uncle Sam’s Had It Up To Here With “Unforgivable” SQL Injection Flaws Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-03-27 00:00 +0000
csiph-web