Question

I mean,if we use some binary-based language,we prevent the SQL injection throughy don't we?

Was it helpful?

Solution

The language that's being used is not the problem.

The problem is building SQL statements using data from untrusted sources.

It doesn't matter if it's PHP:

$sql = "SELECT * FROM users WHERE id = '$id'";

or if it's in C:

sprintf( sql, "SELECT * FROM users WHERE id = '%s'", id );

In both cases, if the id or $id variable is untrusted input from an outside data source, the SQL being built is tainted. In either case, if an attacker passes in an id of '; drop table users;, then you're building:

SELECT * FROM users WHERE id = ''; drop table users;

The answer to avoiding SQL injection is: do not build SQL statements using outside data.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top