Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If we use best secure way for executing query such as prepared statement or parameterized query to prevent SQL injection attacks, is there guarantee to not any database error occure in executing it?
for example, sending invalid parameter for a given type in inserting record, cause error instead of use default value. can you bring an example?
One example, where parameterised queries doesn’t prevent database errors is a user could provide input so long it won’t fit inside the database type such as a 100,000 words essay in a username field limited to 50 characters.
Also, parameterised queries won’t protect against duplicate primary key errors, if say, a username they request on a registration form is already taken.
parameterised queries only ensure the values aren’t interpreted as SQL, it won’t prevent any other form of error (such as the SQL statement failing because the database is out of disk space)