[Owasp-leaders] Stop blaming developers on Sql Injection

• Previous message: [Owasp-leaders] Stop blaming developers on Sql Injection
• Next message: [Owasp-leaders] Stop blaming developers on Sql Injection
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeff Williams wrote:
> JDBC has the PreparedStatement which provides a parameterized API for
> databases. Highly recommended for virtually all queries. And you have to use
> the ? placeholders.  If you use PreparedStatement but just concatenate user
> data into the query it is still injectable.
> 
> --Jeff
> 

Classic ASP also has an equivalent of a PreparedStatement. Jeff could
look it up in the ASP version of WebGoat that I did for them . . . :-)

Rogan

• Previous message: [Owasp-leaders] Stop blaming developers on Sql Injection
• Next message: [Owasp-leaders] Stop blaming developers on Sql Injection
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]