Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing SQL injection in C++ OTL, DTL, or SOCI libraries

Tags:

c++

database

sql-injection

soci

otl

I've been looking at all three of these database libraries, and I'm wondering if they do anything to prevent SQL injection. I'm most likely going to be building a lib on top of one of them, and injection is a top concern I have in picking one. Anybody know?

like image 428
Brett Rossier Avatar asked Jun 25 '10 14:06

Brett Rossier

People also ask

Which will prevent SQL injection?

How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly.

Does stored procedure prevent SQL injection?

All the input values should be validated before putting them under code to perform database transactions. Use of Stored Procedures (in right way) reduces risk of SQL Injection Attack.

What types of databases are more vulnerable to SQL injections?

If a web application or website uses SQL databases like Oracle, SQL Server, or MySQL, it is vulnerable to an SQL injection attack. Hackers use SQL injection attacks to access sensitive business or personally identifiable information (PII), which ultimately increases sensitive data exposure.

2 Answers

Got with the author of the OTL library. A parameterized query written in "OTL Dialect," as I'm calling it, will be passed to the underlying DB APIs as a parameterized query. So parameterized queries would be as injection safe as the underlying APIs make them.

Go to this other SO post for his full e-mail explanation: Is C++ OTL SQL database library using parameterized queries under the hood, or string concat?

Edit: SOCI uses the soci::use expression, which translates to the usual binding mechanism, but with more syntactic sugar. Example: db_session << "insert into table(column) values(:value_placeholder)", use(user_input,"value_placeholder");

As far as DTL is concerned, I'm not sure what it do with parameters in relation to the underlying APIs.

like image 123
Brett Rossier Avatar answered Oct 24 '22 09:10

Brett Rossier

Generally a library at this level should just do what you tell it to. You most prevent SQL injection by looking at strings you're provided by the user, and only passing things on to the library after you've sanitized them.

like image 44
Jerry Coffin Avatar answered Oct 24 '22 11:10

Jerry Coffin
Sign in to Comment

Related questions

Static template field of template class?
Using C++ Boost memory mapped files to create disk-back data structures
Is Linux Standard Base (LSB) AppChecker reliable?
How to parametrize on iterator direction?
How do I get a string description of a Win32 crash while in Top level filter (I am looking for the address of the instruction at the top of the stack)
Receiving response(s) from N number of clients in reply to a broadcast request over UDP
Find unique vertices from a 'triangle-soup'
Multitouch in Linux
Question on multi-probe Local Sensitive Hashing
C++ template nontype parameter arithmetic
How to pass non static member function into glutDisplayFunc
Expose C++ object to Javascript in Qt
vim + c++: insert a uuid in a guard clause
How to align C++ class member names in one column in emacs?
Boost Mersenne Twister: how to seed with more than one value?
OpenGL texture shifted somewhat to the left when applied to a quad
How can I access the QUndoStack of a QTextDocument?
is there a way to use c++0x at xcode? I want to use gcc 4.4 or greater
Override OnClose()
Is int guaranteed to be 32 bits on each platform supported by Qt, or only qint32?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!