[cryptography] [OT]: SQL injection blamed for widespread DNS hack
James A. Donald
jamesd at echeque.com
Sun Sep 11 23:36:09 EDT 2011
It seems to me that if you use dynamic sql, you are bound to get
injection attacks unless you are always careful, and you are not
*always* going to be careful. So if you use dynamic sql, will always
get injection attacks.
If you use mysqli and stored procedures, and *never* use dynamic sql,
then you will not get injection attacks.
So don't use dynamic sql.
Mysqli needs an option to turn off run time parsing altogether - that is
to say, to turn off the unnecessary and dangerous mysqli::query, which
is the cause of most sql injection attacks.
More information about the cryptography