DEV Community

Discussion on: Why is SQL injection still a thing?

fluffynuts profile image
Davyd McColl

I guess some of the problem is that people are introduced to SQL as "a bunch of text we send to a server somewhere to get data" and they're also introduced to "you can build SQL strings". Logically, what flows is "to get filter data (and other data) into sql queries, use string concatenations"

Sometimes that's viable; sometimes we can use in-line quoting to get where we want; but yes: we should have been introduced to SQL as a secondary language from the start, ie how to interact with SQL-based databases from another language where parameters are best method for getting dynamic data into queries.

Also, I guess SQL is difficult enough because it requires "set thinking" over "iterative thinking", so that's already a lot for people to deal with (: