On Sun, 2014-09-28 at 15:22 +1300, Steve Holdoway wrote:
On Sun, 2014-09-28 at 01:01 +0300, Eliezer Croitoru wrote:
This issue is almost the same as php or other scripts that quotes a variable straight into a sql query and not using the "values" and "?"(question marks) to restrict the variables into a specific scope.
From my point of view the php script should be fixed to prevent the sql injection rather then patching MySQL or any others.
I'll just pick you up on this point... using prepared statements necessarily skips the query buffer*, which could have performance issues on busy / poorly configured / slow IO servers... so there is a case for using a pre-created string instead - especially when . No case for not Sorry, *especially when the database is supporting a website and the vast majority of it's work is delivering the same old data. sanitising input obviously. However, when's it going to happen that someone works out a bobby tables hack for prepared statements anyway.
You're also skipping the concept of defence in depth, which the recognition of a 20 year old security hole has (hopefully!) brought back to the top of designer/architect's thoughts!
Steve *Must check on whether this is still true with InnoDB tables... logic tells me it is, but you never know.
-- Steve Holdoway BSc(Hons) MIITP http://www.greengecko.co.nz Linkedin: http://www.linkedin.com/in/steveholdoway Skype: sholdowa