|
|
|
|
|
|
by 0x0539
3855 days ago
|
|
|
As long as you use prepared statements correctly. I can't tell you how many times I've seen someone passing a query though the prepared query method but still crafting the query dynamically Stuff like: prepareQuery("SELECT something FROM table WHERE col='"+userInput+"' and otherCol=?", otherUserInput); That is still vulnerable even though prepared statements are in use. As long as user input doesn't find its way into the query string though you should be safe from these assuming the issue isn't internal like bad stored procedures creating queries based on input. |
|
|
This is very dumb, yet too common. :-/