Hacker News new | ask | show | jobs
by elchief 4104 days ago
Yes, but:

1. Not all SQL statements are parameterizable (dynamic identifiers vs literals)

2. Stopping SQL injection doesn't stop Insecure Direct Object References

3. Developers make mistakes

4. Plugins are a risk (example: http://www.zdnet.com/article/over-1-million-wordpress-websit...)

For parameterization to work you need to be perfect, always. My suggestions are for when someone else fucks up.