[cryptography] [OT]: SQL injection blamed for widespread DNS hack

James A. Donald jamesd at echeque.com
Sun Sep 11 23:36:09 EDT 2011


It seems to me that if you use dynamic sql, you are bound to get 
injection attacks unless you are always careful, and you are not 
*always* going to be careful.  So if you use dynamic sql, will always 
get injection attacks.

If you use mysqli and stored procedures, and *never* use dynamic sql, 
then you will not get injection attacks.

So don't use dynamic sql.

Mysqli needs an option to turn off run time parsing altogether - that is 
to say, to turn off the unnecessary and dangerous mysqli::query, which 
is the cause of most sql injection attacks.




More information about the cryptography mailing list