in reply to Re: Detect SQL injection
in thread Detect SQL injection
A few points.
- Not every database(driver) allows place holders in just any place you want.
- You do not want to quote your types. Even simple types usually consist of several (lexical) tokens, for instance char(3), which has 4 tokens. Quoting that makes it one token, and not valid SQL.
- Why the Dare you! at the end? There can be many reasons to prefer more closely following the companies database's API instead of using a greatest-common-divisor strategy. I've done rapid prototyping, trying out solution using Perl, which then later got implemented in the company's main code repo, which was written in C. I wrote my solutions using sybperl, and DBlib/CTlib calls, because those are the calls the Sybase C-libraries provided. DBI would not have been a good choice.