I heard that separated SQL clause and args can protect against SQL injection. For example,
clause = SELECT * WHERE ID = ? AND NAME = ?
with ID = 23, and NAME = "Tom".
Can someone explain to me how it works?
Asked
Active
Viewed 46 times
0
scragar
- 6,468
- 24
- 33
Zhang Yifan
- 233
- 2
- 6
-
You want to google for "sql prepared statements" and its benefits if it comes to escaping. – arkascha Apr 30 '14 at 12:23
1 Answers
1
Basically, you're making the distinction between data and the actual code (query part) very clear. You're telling the SQL server: this is clearly data and this is clearly code.
This way, you're basically skipping the part where the server has to pull apart the code and data from your query so there's no chance the server can misinterpret bits of data as part of your query.
Edit: as per the link in the comments, this answer pretty much answers your question much better than I've explained here.
