Tag Archives: SQL

SQL parameter escaping once again

Infinite times it was spread over the internet, that every string parameter that enters SQL query, especially user entered, should be escaped.

And again, and again, you open some critical enterprise grade project and see something like this:
CString sql = "SELECT * FROM categories WHERE category = '" + category + "'";
where category is unchecked and unescaped string that comes directly from user input.

Almost every contemporary database API contain escaping either by special method or automated while using prepared statements. But nevertheless, some our colleagues still write unsafe code. I’d suggest that it should be taught at every programming course, just by showing proper database query assembling, not a quick and dirty examples as they are now.