Since there is SQL injection, why does SQL Databases still use script language [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 8 years ago.

Improve this question

I mean,if we use some binary-based language,we prevent the SQL injection throughy don't we?

Answer 1

The language that's being used is not the problem.

The problem is building SQL statements using data from untrusted sources.

It doesn't matter if it's PHP:

$sql = "SELECT * FROM users WHERE id = '$id'";

or if it's in C:

sprintf( sql, "SELECT * FROM users WHERE id = '%s'", id );

In both cases, if the id or $id variable is untrusted input from an outside data source, the SQL being built is tainted. In either case, if an attacker passes in an id of '; drop table users;, then you're building:

SELECT * FROM users WHERE id = ''; drop table users;

The answer to avoiding SQL injection is: do not build SQL statements using outside data.