"The attack is only successful when the program that is being injected does not sanitize user supplied data."
Well, which is it? Does "regular" sanitizing prevent it, in which case is there anything new about this other than the massive scale? Or is the news that it sidesteps sanitizing because it's hex-encoded, in which case the statement is false?
Ah, my other post in this article was meant to be a reply to you. ENOBRAIN.
Basically, if you are using bindvars or even the simplest sanitation, you're safe. This "attack" lets you inject expressions that need a ' in them without a ' going over the wire.
Well, which is it? Does "regular" sanitizing prevent it, in which case is there anything new about this other than the massive scale? Or is the news that it sidesteps sanitizing because it's hex-encoded, in which case the statement is false?