In situations where we cannot use bind variables, for example, when our dynamic queries must execute ddl instructions, is the protection list sufficient?
Never use anonymous blocks in dynamic queries, so only one statement can be executed by immediate execution. This stops attacks on code injections.
Reset all single quotes using the replace function. This stops attack modification attacks.
What characters, except for a single quote, can be used for citation and how can they be escaped?
How to prevent modification of an instruction through AND, UNION attacks, etc.
How to prevent the function of invoking attacks so that the user cannot call the built-in functions? Each user has the right to call these functions, and a call to these functions can lead to denial of service and buffering over threads. How to save on this?
I prefer gui to be able to use the single quote character rather than checking it on the client side and server side in the web application. This should allow names such as O'Brian. At the database level, single quotes are removed before the immediate execution operation. Do you know any better approach?
The solution to any other vulnerabilities not listed above.
Note. I have already covered about a dozen issues related to SQL injection on this site. I was still writing this question because:
. , , MySQL, SQL- ..
, . , .
.
SQL-, , , - .
:
.
, . , , , .. , . , , , - ddl. :
sql. .
, . , : - , - . . , sql, (, - ).
- , , , , , , html .. , [], [\'], [#] . SQL , .
, ?