We all know SQL injection attacks are an ongoing problem <
https://www.theregister.com/2024/03/26/fbi_cisa_sql_injection/>. What interested me about this article is this part:
Software vendors have been advised to use parameterized queries
with prepared statements to mitigate SQL injection
vulnerabilities. According to the authorities, these allow
user-input data to be separated from SQL queries and "better
embody a secure by design approach" compared to input sanitization
techniques.
These are deployed by some vendors, but were branded "brittle" by
CISA and the FBI. They said they're also difficult to deploy on a
large scale and are more easily bypassed.
Funny, that. Every time I post examples of how I dynamically construct
SQL query strings with proper quoting of user input, I get yelled at
and told to use “parameterized queries” and “prepared statements”, or even an ORM. Yet here we have the security experts saying that that is
not a good solution, just like I thought all along.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)