Re: Preventing SQL injection attacks: are -T and placeholders not enough?

Just a note on placeholders...

I've also been a staunch user (and advocate) of placeholders for quite some time. However, some time ago I found myself in a position where I had to make DB connections to a MS-SQL server from a Linux box. Those that have been down this path will understand when I say that this was quite a painful and frustrating experience.

I eventually settled on a solution that uses a combination of DBD::Sybase and FreeTDS (mostly because this solution was the least painful to get up and working), but to my disappointment I discovered that placeholder support is lacking in this solution, which meant that we had to be very careful with the code.

I've not looked into it for a while, but as far as I'm aware there is no easy workaround to this. But I'd be very pleased to discover that there is, if anyone is aware of one?

Cheers,
Darren

Comment on Re: Preventing SQL injection attacks: are -T and placeholders not enough?

Replies are listed 'Best First'.
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by mpeppler (Vicar) on Jan 09, 2008 at 07:42 UTC
Yes, it is unfortunate that FreeTDS doesn't support placeholders in their Client Library implementation - because they do support placeholders in their ODBC implementation. The FreeTDS team is quite active, so I'm hoping that this support will eventually be added. Of course I'm sure they'd be more than happy if someone had the time and the energy to lend a hand and try to add this functionality... Michael	[reply]

Replies are listed 'Best First'.

Re^2: Preventing SQL injection attacks: are -T and placeholders not enough?
by mpeppler (Vicar) on Jan 09, 2008 at 07:42 UTC

The FreeTDS team is quite active, so I'm hoping that this support will eventually be added. Of course I'm sure they'd be more than happy if someone had the time and the energy to lend a hand and try to add this functionality...

Michael

[reply]