File tree Expand file tree Collapse file tree 1 file changed +2
-0
lines changed
user_guide_src/source/concepts Expand file tree Collapse file tree 1 file changed +2
-0
lines changed Original file line number Diff line number Diff line change @@ -198,6 +198,7 @@ Preventing injection requires keeping data separate from commands and queries:
198198- The preferred option is to use a safe API, which avoids using the interpreter
199199 entirely, provides a parameterized interface, or migrates to Object Relational
200200 Mapping Tools (ORMs).
201+
201202 - Note: Even when parameterized, stored procedures can still introduce SQL
202203 injection if PL/SQL or T-SQL concatenates queries and data or executes hostile
203204 data with EXECUTE IMMEDIATE or exec().
@@ -206,6 +207,7 @@ Preventing injection requires keeping data separate from commands and queries:
206207 mobile applications.
207208- For any residual dynamic queries, escape special characters using the specific
208209 escape syntax for that interpreter.
210+
209211 - Note: SQL structures such as table names, column names, and so on cannot be
210212 escaped, and thus user-supplied structure names are dangerous. This is a
211213 common issue in report-writing software.
You can’t perform that action at this time.
0 commit comments