hjertnes.blog

SQL Injections

08.08.2018 10:00

This used to be the big security thing everyone safe guarded against back when I was learning how to write code.

There is even a XKCD strip about it.

The basic idea is that input from a user is used directly to construct a SQL Query, and that can therfore be used to for example drop tables in your database.

I personally think this is a non issue today. Well, I think the issue still exist, but I do not think that it is anything that anyone should be the victim of. Because all programming languages have (or should have) libraries for most SQL databases that take care of this problem.

The way they take care of it is by the way to create the query. You write the query, and where you want to place dynmaic data, then you give it all the variables after that. By doing this you make sure that all the data in the variable are always treated as data and not as a query.

In other words: this should not be a problem as long as you use a good library, use it in the recommended way. And don’t create the queries in a dumb was (something like "select * from table where value”+variable_from_url=