Description
SQL is the standard language for accessing database servers, including MySQL, Oracle, and SQL Server.1 Web programming languages such as Java, ASP.NET, and PHP provide various methods for constructing and executing SQL statements, but, due to a lack of training and development experience, application developers often misuse these methods, resulting in SQL injection vulnerabilities (SQLIVs). Developers commonly rely on dynamic query building with string concatenation to construct SQL statements. During runtime, the system forms queries with inputs directly received from external sources. This method makes it possible to build different queries based on varying conditions set by users. However, as this is the cause of many SQLIVs, some developers opt to use parameterized queries or stored procedures. While these methods are more secure, their inappropriate use can still result in vulnerable code. In the PHP code examples below, name and pwd are the “varchar” type columns and id is the “integer” type column of a user database table.
Only logged in customers who have purchased this product may leave a review.
Reviews
There are no reviews yet.