- I have used parameterized query number of times I know it helps in preventing SQL injection. But, I was wondering if I can know what is basic logic working inside a parameterized query to prevent SQL injection may be it is very simple but I don't know about it. I tried to search google what are the basic of it but every time I found an example that how to use parameterized query in Asp.net.
- I know about making a special class which stops those special characters like (',-- etc) which are used in SQL injection, but does stopping only special characters totally prevent SQL injection?
- And one last thing does .net parameterized query can fully stop SQL injection?
I think parametrized queries are not dependent on prepared queries database support. Database driver itself passing values the safe way, and how is it done depends on driver itself.
The PostgreSQL manual explains basics about parametrized queries on database level.
On the other hand, parametrized queries simplifies you passing locale sensitive data. For example, user enters 100,00 decimal, but your server expects 100.00 value.
In every database engine I know, using "prepared" (aka "parametrized", or "static") queries prevents SQL injection. You don't need to filter any characters if they're being passed to parameters. If you ever write SQL that is concatenated together in code rather than prepared with parameters, you are probably at risk for SQL injection. You should the security manual for the database you're using, it will very likely have a section on SQL injection, but just read all of it. I bet it will take under an hour and will give you solid instruction and confidence that you're following best the practices that apply to your database.
来源:https://stackoverflow.com/questions/4446855/basics-of-parameterized-query