« Bar Camp Seattle presentation on web application security | Main | Clinton cybersecurity speech misses the mark on privacy »

01/21/2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

webdevguy

Would this not need any input filtering before use in a sql statement?

Don Ankney

If you are calling the stored procedure using parameterized queries, then you don't need to do any additional sanitization to prevent SQL Injection. You still will want to do appropriate sanitization to mitigate against other injection attacks such as XSS, though.

When relying on parameterized queries, make sure that you're using a database/driver combination that supports them. The PHP PDO class will emulate prepared statements (PHP's term) if the database driver doesn't support them. Emulated parameterization won't protect against SQL Injection; it's simply there for uniform data access. MySQL5 -- the usual suspect in PHP -- works just fine.

You can check other PHP drivers here: http://us2.php.net/manual/en/pdo.drivers.php

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)