How to Write Injection-Proof SQL
It’s about time someone wrote this paper:
ABSTRACT
Googling for “SQL injection” gets about 4 million hits. The topic excites interest and superstitious fear. This whitepaper dymystifies the topic and explains a straightforward approach to writing database PL/SQL programs that provably guarantees their immunity to SQL injection.
Only when a PL/SQL subprogram executes SQL that it creates at run time is there a risk of SQL injection; and you’ll see that it’s easier than you might think to freeze the SQL at PL/SQL compile time. Then you’ll understand that you need the rules which prevent the risk only for the rare scenarios that do require run-time-created SQL. It turns out that these rules are simple to state and easy to follow.
EDITED TO ADD (10/26): Never mind; this seems to be a self-serving marketing piece.
blort • October 16, 2008 6:24 AM
the problem is the people who care already know this, and the vast majority of web-facing database apps are written by people who simply don’t care…