|
|
|
|
|
|
by danparsonson
5556 days ago
|
|
|
All of those scenarios can be handled in such a way that you're only concatenating known strings rather than user input - e.g. stmt = "SELECT col1 FROM table ORDER BY col2 " + (isDescendingSort ? "DESC" : "ASC") As long as all your user input has been filtered through type checking, enumerations, etc. (aside from parameters), is that not a safe approach? |
|
|
Of course you should use prepared statements when possible.
But web devs do have a bad habit of saying "we're safe, we used prepared statements", and then losing their app within 5 minutes because of the code than handles sortable columns in their table views.