With Sybase, one of the best ways that I've found to avoid any risk of SQL Injection is to mandate the use of stored procedures, and to always use RPC semantics when calling the stored procedures rather than language commands.
This means that there is no parsing of the input parameters (other than ensuring that they match with the parameter's datatypes), so any text that is passed in for a particular parameter can never be executed.
Another advantage (on large systems) is that the procs encapsulate all the SQL, making it a lot easier to find offending (badly performing) queries, and tuning them independently of the client code.
I realize that this isn't always practical, but once everyone in the team knows how this works it's actually quite efficient, in particular on large systems (200+ developers, several thousand tables, three million+ lines of SQL code...)
Michael
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.