Ivan Sergio Borgonovo wrote:
Yeah... but how can I effectively enforce the policy that ALL input will be passed through prepared statements?
Code reviews are about the only way to enforce this.
If I can't, and I doubt there is a system that will let me enforce that policy at a reasonable cost, why not providing a safety net that will at least raise the bar for the attacker at a very cheap cost?
How do you do this? Disallow string concatenation and/or variable interpolation for any string that's going to be shipped off to the database? Do you parse the SQL string according to the rules of any backend database you might be talking to, to see if you have a where clause not using a prepared statement? i.e. - Nothing is going to work here.
You're stuck with making sure developers know the most rudimentary things about talking to a database.
