On SQL Injection

SQL injection is sadly still a very common problem. Software broadly deployed like WordPress still has SQL Injection Vulnerabilities because instead of using prepared statements in PHP with MDB2 they encode the parameters they think that could be used in a SQL injection. I really think that is not the way to go and I suggest to everyone using prepared statements (java). Also, many SQL servers like MySQL have support for prepared statements, so it may even speed up the application. To force you to use prepared statements and clean your application from unsafe SQL some databases, like H2, allow you to disable literals in SQL statements.

Using object-relational mapping solutions like Java Persistence API/Hibernate can ease programming to prevent SQL injection because most INSERT, UPDATE, DELETE takes care the ORM directly. You still have to use setParameter in SELECT.

No comments: