basics of parameterized query

筅森魡賤 提交于 2019-12-06 08:09:23
Peposh

I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.

The PostgreSQL manual explains basics about parametrized queries on database level.

On the other hand, parametrized queries simplifies you passing locale sensitive data. For example, user enters 100,00 decimal, but your server expects 100.00 value.

In every database engine I know, using "prepared" (aka "parametrized", or "static") queries prevents SQL injection. You don't need to filter any characters if they're being passed to parameters. If you ever write SQL that is concatenated together in code rather than prepared with parameters, you are probably at risk for SQL injection. You should the security manual for the database you're using, it will very likely have a section on SQL injection, but just read all of it. I bet it will take under an hour and will give you solid instruction and confidence that you're following best the practices that apply to your database.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!