Does using preparedStatement mean there will not be any SQL Injection?

前端 未结 5 1691
广开言路
广开言路 2021-02-20 10:58

I have read that to prevent SQL Injection one must use PreparedStatement.
Does that mean if i am using perparedStatement then no one can perform SQL Injection in any of my p

5条回答
  •  深忆病人
    2021-02-20 11:25

    As long as you're actually using the parameter substitution feature of the prepared statement (it's possible to misuse them and not use that feature), and provided there isn't a bug in the prepared statement library you're using, then you should be fine against raw SQL injection. That doesn't mean you shouldn't treat whatever the user gives you with suspicion, though. :-)

提交回复
热议问题