|
|
|
|
|
|
by tannhaeuser
2099 days ago
|
|
|
SQL injection can be as easy as accepting only quoted strings as parameters, with the parameter text not allowed to contain unescaped quotes itself, and converting strings to numbers and dates with SQL conversion funcs (wouldn't work with MySQL syntax though), or in fact using prepared statements. No need for heuristic best-efforts approaches. |
|
|