Are Parametrize Queries in .NET safe from SQL Inject? That is, does .NET automatically escape dangerous characters when you use Parameters?
Are Parametrize Queries in .NET safe from SQL Inject? That is, does .NET automatically
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Are Parametrize Queries in .NET safe from SQL Inject? That is, does .NET automatically escape dangerous characters when you use Parameters?
When you use parameters, they typically won’t be sent as text in the first place. They can use the native wire protocol for the database. If the parameter is a text parameter itself, then it will typically be encapsulated appropriate in the protocol so that the database knows it’s a parameter rather than SQL.
While I guess a provider could just translate the parameters into a full SQL statement, it would be an awful way of doing things.
So basically “yes” – parameterised queries are effectively safe from SQL injection attacks, so long as you don’t have stored procedures dynamically executing your parameters as SQL, etc.