Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Parameterized queries fail to protect from SQL injection for decades, because database engine developers fail to listen. What could work instead, if any parameter could be safely injected:

    SELECT $1, $2($3) FROM $4
    WHERE $5 $6 $7
    GROUP BY $1
    ORDER BY $8 $9
but at that point SQL loses its point and turns into MongoDB query language.
 help



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: