On Monday 06 December 2004 12:31, you wrote: > Derek Fountain <[EMAIL PROTECTED]> writes: > > If another SQL Injection vulnerability turns up (which it might, given > > the state of the website code), > > You will never see another SQL injection vulnerability if you simply switch > to always using prepared queries and placeholders.
<much wisdom snipped> Indeed, but I'm still interested in the general answer. The server I have been looking at was hopelessly insecure and SQL injection is only one of its problems. There were several other ways in! Assume, for example, an attacker can write his own script directly into the website document tree. In this case prepared queries don't help protect what's in the database. The attacker can use them himself if he likes! Given this type of mess, having logins, passwords, credit card info and the like encrypted in the DB will add another layer of protection. The question is, do people normally add this layer, just in case, or do they assume that all the previous layers will do the job? Personally I've never encrypted data in this way, but for this guy there does seem to be a requirement. ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
