The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,466 other followers

Great session on how to prevent SQL Injection Myths and Fallacies

Posted by jpluimers on 2012/08/15

A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled  “SQL Injection Myths and Fallacies“.

Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.

He also:

Anyway, his webinar is awesome. Be sure to get the slides, watch the replay, and read the questions follow up.

Watching it you’ll get a better understanding of defending against SQL injection.

A few very valuable points he made:

  • Escaping is not the solution, and multiple levels of escaping only makes life harder
  • SQL parameter objects aren’t always a solution for SQL injection as they can only be used for parameter values (and for instance not for table or column names, or for other SQL syntax like an ORDER BY direction)
  • If you have to translate user input to SQL, then map it to safe SQL, not
  • Database Firewalls aren’t 100% fool proof (generate false positives and false negatives)
  • NoSQL doesn’t suffer from SQL-injection, but from NoSQL-injection

You’d think that many examples in PHP makes this only valuable for web applications.


I’ve seen so many native apps suffering from SQL injection, that this session is a “must watch” for any developer.

Non web-apps I have seen fail use technologies like .NET, Xcode, C++ and Delphi and a variety of platforms (Windows, Mac, mobile, you name it).

He will repeat this session during Percona Live at these dates:

  • New York, October 1-2, 2012
  • London, December 3-4, 2012
  • Santa Clara, April 22-25, 2013

If you are nearby, try to get there, he is a very entertaining speaker!


via SQL Injection Myths and Fallacies.

One Response to “Great session on how to prevent SQL Injection Myths and Fallacies”

  1. I remember dealing with SQL injection issues in the past. I thought there was a quick way (one call) to make sure all strings entered were clean?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: