Stopping SQL injections

So I've been learning a lot about SQL, but I'm kind of confused about stopping SQL injections. I've seen some people say that I should basically encrypt my data to stop SQL injections, and I've seen other people scream "NO DON'T DO THAT. Just escape" So which is the superior method to stopping SQL injections, and what else can I do to stop them?

Other urls found in this thread:

owasp.org/index.php/Query_Parameterization_Cheat_Sheet
youtube.com/watch?v=_jKylhJtPmI
twitter.com/SFWRedditVideos

Encryption= No need to escape but MUH CPU
Escaping= What everyone does

if you encrypt it then you can't search for data
just escape and use prepared statements when putting things in

just use stored procedures

If the language you are using provides it, you should be executing sql statements in a way that is parametrized.

Use parameterization
owasp.org/index.php/Query_Parameterization_Cheat_Sheet

Use parameterized queries

the important thing is to not build sql queries in your application by joining strings together

how does encryption have any relation to sql injection?

Sanitize untrusted input; don't run queries that contain unsanitized untrusted input.


Webdevs are tards.

Because when you encrypt Robert'); DROP TABLE Students;--
It turns into something like jkA8#kLrfvdoA!K4iskskUSsjSj

This.

Stored procedures / prepared queries. No other method is 100% fool-proof.

Even using stored procedures, some autist is gonna find a way to make them do something you didn't intend them to do unless you pay extremely close attention to your schema.

youtube.com/watch?v=_jKylhJtPmI

Holla Forums is NOT your personal tech support team or personal consumer review site. We have stickies for that. Keep those kinds of posts in there.

For tech support, software recommendations, and other questions that don't warrant their own thread, please use the 'Holla Forums Questions and Support' sticky.

This is not a request for tech support, this is discussion of techniques for stopping SQL injection.

Avoid SQL. Use graph databases instead. They're more robust and the future of the Web 3.0, aka internet of things

If for some reason I legitimately needed noSQL i'd just use a noSQL table in postgres.

I know your post is a shit post but it still got to me.

Everyone and their dog are trusting all their data to MongoDB, it's scary.

Even Joyent, the company that stewards nodejs, prefers real databases, that should be telling.

that doesn't...

kill yourself

I never understood the NoSQL push.

To me it just seems like unstructured data and should only be used in cases where the data is actually unstructured.

Can anyone explain to me why it's being touted for other applications?

Because it structures the data without requiring a schema.

Use Linq

Hi Pajeet the Backseat Mod, Stack Overflow too slow to feed your hunger for control today?

And this is why we still have these problems. This was already a known bad idea in the '90s but PHP's shitty bindings to a shitty database making escaping a thing led to untold billions in damages. It took them years and years to bind the positional functions.
I guess we're making progress though as there weren't immediately calls for sanitizing. Maybe 17 more years and we'll be good.

Don't know how to XOR?