How does sql parameters work?

Genbox

Hi. I use sql parameters every time i connect to a database, so it's about time i know the truth :) Does SQL parameters block SQL injections 100%? and how is parameters different from normal SQL strings? (In the way it works)

Paul Conrad

Have you read this article about SQL injection attacks[^], here at CP?

Genbox

Yes, i have read it, understand SQL injections and how to prevent it. But is sql parameters really 100% secure, and how does it work? (does it put '' around the data input or/and does it have any checks against the attacks?)

Lost User

Also have a read of ... http://www.securitypronews.com/news/securitynews/spn-45-20061019MaliciousCodeInjectionNotJustforSQLAnymore.html#resume[^]

Genbox

Thanks for the link. Nice to know, but unfortunaly it does not answer my question.

Paul Conrad

Richard A. Abbott wrote:

Also have a read of ... http://www.securitypronews.com/news/securitynews/spn-45-20061019MaliciousCodeInjectionNotJustforSQLAnymore.html#resume\[^\]

Another article worth bookmarking :)

Paul Conrad

GentooBoxX wrote:

is sql parameters really 100% secure, and how does it work?

As far as I know it is secure. I haven't run into any security breaches using SQL parameters. I pretty much stick to stored procedures. You may want to contact the author of the article I mentioned :) Paul

Genbox

I have never been able to execute an SQL injection attack on any on my applications that uses SQL parameters, but there is always someone better knowing out there :) I will contact the author of the article you mentioned, did not even think of that for some weird reason.

Paul Conrad

GentooBoxX wrote:

I have never been able to execute an SQL injection attack on any on my applications that uses SQL parameters, but there is always someone better knowing out there

Same here and I'd like to also know if it's 100% secure. I am for the time going with that until someone out there proves otherwise :)