parameterized-query

I have used parameterized query number of times I know it helps in preventing SQL injection. But, I was wondering if I can know what is basic logic working inside a parameterized query to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net. I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection? And one

I have already done research into this, and though the below questions are similar, I have tried them all, but none seems to solve my issue. Proper way of getting a data from an Access Database using parameters inserting data into access database Getting Data from Access into a text box in C# by clicking a button UPDATE query on Access Database not working C#.NET passing parameter to access query from c# Parameterized query for inserting values Here is the part of the code that is relevant: private void LoadDetails(int index) { try { connection.Open(); command = new OleDbCommand("SELECT * from

As far as I understand, prepared statements are (mainly) a database feature that allows you to separate parameters from the code that uses such parameters. Example: PREPARE fooplan (int, text, bool, numeric) AS INSERT INTO foo VALUES($1, $2, $3, $4); EXECUTE fooplan(1, 'Hunter Valley', 't', 200.00); A parameterized query substitutes the manual string interpolation, so instead of doing cursor.execute("SELECT FROM tablename WHERE fieldname = %s" % value) we can do cursor.execute("SELECT FROM tablename WHERE fieldname = %s", [value]) Now, it seems that prepared statements are, for the most part,