SQL Injection Myths & Fallacies



SQL injection is one of the most serious threats to web application security. In this presentation, organized by The SF MySQL Meetup Group on November 10, 2010, Bill Karwin, author of SQL Antipatterns, will break down some common myths related to SQL code injection, give you some examples of common code injection attacks, and show how you can secure your web apps against those attacks.

Twelve common myths debunked by Bill in this video include:

  • I don't have to worry anymore (SQL injection is an "old" problem)
  • Escaping is the fix
  • More escaping is better
  • I can code an escaping function
  • Only user input is unsafe
  • Stored procs are the fix
  • SQL privileges are the fix
  • My app doesn't need to be secure
  • Frameworks are the fix
  • Parameters quote for you
  • Parameters are the fix
  • Parameters make queries slow


Enjoy, and don't forget to head over to TechTV to see more great educational videos on open source development.



Published December 6, 2010