Hacker News new | past | comments | ask | show | jobs | submit login

This. If SQL injection was infeasible because the language had no literals, then there would be no SQL injection. Given that SQL injection is possible because the language does have literals, we should and do in fact still have SQL injection issues.



The fact that SQL has literals is not a problem. It’s true that eliminating literals would prevent SQL injection but it’s an absurd solution to the problem. How should we write queries by hand? What about things that actually should be constant (e.g where col is null)?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: