[Owasp-leaders] Stop blaming developers on Sql Injection

Rogan Dawes lists at dawes.za.net
Thu Jan 8 10:34:10 EST 2009


Jeff Williams wrote:
> JDBC has the PreparedStatement which provides a parameterized API for
> databases. Highly recommended for virtually all queries. And you have to use
> the ? placeholders.  If you use PreparedStatement but just concatenate user
> data into the query it is still injectable.
> 
> --Jeff
> 

Classic ASP also has an equivalent of a PreparedStatement. Jeff could
look it up in the ASP version of WebGoat that I did for them . . . :-)

Rogan


More information about the OWASP-Leaders mailing list