The most important thing to stop sql injection is to validate your parameters on... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

_trb_ on March 27, 2015 | parent | context | favorite | on: Slack was hacked

The most important thing to stop sql injection is to validate your parameters on the server side.

elchief on March 27, 2015 [–]

Yes, but:

1. Not all SQL statements are parameterizable (dynamic identifiers vs literals)

2. Stopping SQL injection doesn't stop Insecure Direct Object References

3. Developers make mistakes

4. Plugins are a risk (example: http://www.zdnet.com/article/over-1-million-wordpress-websit...)

For parameterization to work you need to be perfect, always. My suggestions are for when someone else fucks up.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact