Re: [GENERAL] Prepared statement performance...

"Peter Kovacs" <peter.kovacs@sysdata.siemens.hu> writes:

> Thank you for your explanation. But I still do not see how
> >          INSERT INTO Users (username) VALUES ('joe'; DROP TABLE users');
> will be evaluated so that it drops table 'users'. Actually, this should
> evaluate to a syntax error, shouldn't it?

That's right. I think toby is mistaking the classic javascript hack
for a SQL hack.

The JS hack is possible because developers rarely use strong
validation for input fields, thus allowing JS statements into the
database. When these are presented on webpages they can get up to all
sorts of tricks and wheezes.

I've never heard of a SQL hack based on input fields, it seems most
unlikely but something could probably be done based on stored procs,
the hacker would have to have intimiate knowledge of the stored procs
and would also have to find one that would do something dangerous.


Nic