开发者

Preventing SQL injection in C++ OTL, DTL, or SOCI libraries

I've been looking at all three of these database libraries, and I'm wondering if they do anything to prevent SQL injection. I'm most likely going to be building a lib on top of one of them, and injec开发者_JAVA技巧tion is a top concern I have in picking one. Anybody know?


Got with the author of the OTL library. A parameterized query written in "OTL Dialect," as I'm calling it, will be passed to the underlying DB APIs as a parameterized query. So parameterized queries would be as injection safe as the underlying APIs make them.

Go to this other SO post for his full e-mail explanation: Is C++ OTL SQL database library using parameterized queries under the hood, or string concat?

Edit: SOCI uses the soci::use expression, which translates to the usual binding mechanism, but with more syntactic sugar. Example: db_session << "insert into table(column) values(:value_placeholder)", use(user_input,"value_placeholder");

As far as DTL is concerned, I'm not sure what it do with parameters in relation to the underlying APIs.


Generally a library at this level should just do what you tell it to. You most prevent SQL injection by looking at strings you're provided by the user, and only passing things on to the library after you've sanitized them.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜