I think it's still very easy to create injectable queries. Prepared statements a... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ohwp on June 24, 2014 \| parent \| context \| favorite \| on: OWASP Top Ten Web Vulnerabilities I think it's still very easy to create injectable queries. Prepared statements are a good start but people still forget to escape everything. For example: `prepare("SELECT name FROM users WHERE country = ? ORDER BY " + unescapedVar, country);` So I wonder, is there any way to force programmers into writing secure queries (by not writing queries)? Is ORM the way to go?

Eiwatah4 on June 24, 2014 | [–]

Just generally, don't write SQL queries as strings. An ORM is one option, language-level extensions another. But for that you need some good macros in your language - or convince the maintainers of your compiler to add it to the language (like Microsoft did in C#).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact