I've been looking at all three of these database libraries, and I'm wondering if they do anything to prevent SQL injection. I'm most likely going to be building a lib on top of one of them, and injection is a top concern I have in picking one. Anybody know?
A:
Generally a library at this level should just do what you tell it to. You most prevent SQL injection by looking at strings you're provided by the user, and only passing things on to the library after you've sanitized them.
Jerry Coffin
2010-06-25 14:16:24
Well, I know it's good to always sanitize inputs to prevent injection, but I wasn't sure one way or the other on any of these libraries, as to whether they use parameters under the hood, or if they're basically just converting the variables I pass in to strings and combining them, or if maybe they convert my query to a parameterized version. Maybe I just missed something in the documentation for each, but so far I haven't seen anything to that effect.
pheadbaq
2010-06-25 14:31:18
A:
Got with the author of the OTL library. A parameterized query written in "OTL Dialect," as I'm calling it, will be passed to the underlying DB APIs as a parameterized query. So parameterized queries would be as injection safe as the underlying APIs make them.
Go to this other SO post for his full e-mail explanation: http://stackoverflow.com/questions/3149974/is-c-otl-sql-database-library-using-parameterized-queries-under-the-hood-or-st
As far as DTL or SOCI are concerned, I'm not sure what they do with parameters in relation to the underlying APIs.
pheadbaq
2010-06-30 18:57:53