Additional Defenses as a Mitigation Against Future Mistakes

Prepared statements do not cover it all

Proper use of prepared statements is our primary defense against SQL injection. Prepared statements are great, but we have to remember to use them every time we write code that touches SQL; we’re never “done” with applying this defense. And if we’re building complex, dynamic SQL statements with user input in parts of the SQL that aren’t ...