Re: Can someone please explain
SQL injection is easy to fix using parameterized queries, they are widely supported and have been around for a long time.
Mostly...
I was writing some Python[1] a while back, and it required DB access - we were using MySQL.
The first library I tried - the "recommended" one - claimed that MySQL doesn't support prepared statements[1], so the library didn't try.
The second library I tried claimed to support prepared statements - but looking through the code, it simply did string substitution, so there was no protection against SQL injection whatsoever.
So whilst SQL injection *should be* a thing of the past, it's not entirey the fault of developers that read documentation; in some circumstances, the library developers are making claims that are simply untrue :-(
Vic.
[1] I ended up re-writing the code in perl; the problems went away :-)
Biting the hand that feeds IT
