From ae469515a79f3860a0b1e03131889c58a637d7ed Mon Sep 17 00:00:00 2001 From: eiffel-org Date: Fri, 3 Feb 2017 18:13:14 +0000 Subject: [PATCH] Update wikipage Defending against SQL injections with EiffelStore. (Signed-off-by:javier). git-svn-id: https://svn.eiffel.com/eiffel-org/trunk@1771 abb3cda0-5349-4a8f-a601-0c33ac3a8c38 --- .../eiffelstore/EiffelStore-SQL-injection.wiki | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki b/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki index f0277a2c..b9a21c80 100644 --- a/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki +++ b/documentation/trunk/solutions/database-access/eiffelstore/EiffelStore-SQL-injection.wiki @@ -11,8 +11,10 @@ In this article we will explain you how to use EiffelStore API to avoid SQL inje = What is an SQL injection? = An SQL injection attack is a coding technique that inserts, or "injects", an SQL query via the input data, passing unsafe input from the client to the application. A successful SQL injection can enable the attacker to read sensitive data from the database, modify database data (Insert/Update/Delete), or become administrator of the database server. To learn more about SQL injection, read the following articles. +{{SeeAlso| * [https://en.wikipedia.org/wiki/SQL_injection https://en.wikipedia.org/wiki/SQL_injection] * [https://www.owasp.org/index.php/SQL_injection https://www.owasp.org/index.php/SQL_injection] +}} = Template Query = A template query is a string containing the fixed parts of the query and placeholders for the variable parts, and you can later substitute in values into those placeholders. (Bind variables to the query.). A template query could be static or dynamic @@ -20,7 +22,7 @@ A template query is a string containing the fixed parts of the query and placeho {{Note|the way you bind variables to the query is quite important and it will define if your query is safe and avoid a SQL Injection attack.}} == How to define placeholders (variables) in a SQL Template query? == -Variables syntax is simple: the ':' special character followed by the variable name, something like :value +Variables syntax is simple: the ':' special character followed by the variable name, for example :value SELECT * FROM TABLE_NAME WHERE field1 = :value