« Bar Camp Seattle presentation on web application security | Main | Clinton cybersecurity speech misses the mark on privacy »

01/21/2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

webdevguy

Would this not need any input filtering before use in a sql statement?

Don Ankney

If you are calling the stored procedure using parameterized queries, then you don't need to do any additional sanitization to prevent SQL Injection. You still will want to do appropriate sanitization to mitigate against other injection attacks such as XSS, though.

When relying on parameterized queries, make sure that you're using a database/driver combination that supports them. The PHP PDO class will emulate prepared statements (PHP's term) if the database driver doesn't support them. Emulated parameterization won't protect against SQL Injection; it's simply there for uniform data access. MySQL5 -- the usual suspect in PHP -- works just fine.

You can check other PHP drivers here: http://us2.php.net/manual/en/pdo.drivers.php

The comments to this entry are closed.