Is MySQL more resistant to SQL injection attack than PostgreSQL (under Perl/DBI)?

Question

I am reviewing a Linux based perl web application that contains a login handler with the ubiquitous

my $sth = $DB->prepare(\"SELECT password from passwords where use

Answer 1

Guarding against injection attacks is not the responsibility of the database, it's the responsibility of the developer. If the developer writes code that creates queries by concatenating strings derived from user input the resulting queries will be vulnerable to injection attacks, and all the code spent on sanitization, etc, is IMHO a waste of time. If the code is written to use parameterized queries, and user input is relegated to being used as parameter values, the resulting queries will be reasonably safe from injection attacks. (And I'd be interested in hearing how it might be possible to do an injection attack through a parameter value).

Share and enjoy.