Postmodern Examples Table of Contents Postmodern-sec-7-2
Parametized statements help protect against sql injection and some of the examples above have used parameterized statement forms. You can't parameterize table names, column names or sql keywords. So if you are getting those from the user, you definitely need to sanitize the input. Parameterized statements also don't protect against other things like cross-script attacks, so you still need to sanitize input.
The following is a simple parameterized query and a prepared statement using parameters. First, the pure sql version
Now the s-sql version:
Now the simple prepared statement version in standard sql and s-sql:
Now let's change the simple version to one where you want to give it a list.
What happened? You can't use a list here. You can, however, use a vector:
Moral of the story: you will have to coerce the list to a vector:
You also cannot use a list with the sql keyword "in". E.g.
You can, however, convert it to a vector and use the keyword any. E.g.
Now the s-sql version. Note the change for any to any*