Josh Santangelo (endquote) wrote in lj_dev,
Josh Santangelo

  • Mood:

Defending against SQL-injection

First, thanks to those that replied to my earlier post about SQL things in general. I solved the problem by just daydreaming about it on the bus a bit, until I figured out how to go about writing the uber-query that eliminated the need for lots of smaller ones.

I have another question, which is how do folks recommend defending against SQL injection attacks? Some of the articles I've read suggest replacing single quotes with double quotes, removing key words like "SELECT", etc, but none of these really take into account large fields like the one I'm writing in, in which those are totally valid pieces of input.

So I guess the question is, what does LJ do to validate input? Is there some funciton that santitizes everything somewhere?
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded