Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve been looking at all three of these database libraries, and I’m wondering if they do anything to prevent SQL injection. I’m most likely going to be building a lib on top of one of them, and injection is a top concern I have in picking one. Anybody know?
Got with the author of the OTL library. A parameterized query written in “OTL Dialect,” as I’m calling it, will be passed to the underlying DB APIs as a parameterized query. So parameterized queries would be as injection safe as the underlying APIs make them.
Go to this other SO post for his full e-mail explanation:
Is C++ OTL SQL database library using parameterized queries under the hood, or string concat?
Edit: SOCI uses the
soci::useexpression, which translates to the usual binding mechanism, but with more syntactic sugar. Example:db_session << "insert into table(column) values(:value_placeholder)", use(user_input,"value_placeholder");As far as DTL is concerned, I’m not sure what it do with parameters in relation to the underlying APIs.