Kevin Hunter wrote:
>>> What about an SQL injection bug that allows for increased privileges?
>>
>> Um, web programming 101 is that you escape quotes on user-supplied
>> inputs. That ends SQL injection.
>
> Pardon my naivete (I'm fairly new to web/DB programming) . . . is this
> the current standard method of protection from SQL injection? How
> does it compare to SQL preparation with bound variables?
When you use SQL Prepared statements it is normal for the db driver to
escape out the variables for you. Well at least it is in PHP, I can't
say for other systems.
>
> Kevin