Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
It is well publicized that prepared statements are a good defense against SQL injection attacks.
Can someone explain what happens in the binding process that makes this so.
My main confusion stems from the fact that a statement uses placeholders and these placeholders are replaced with variables. Therefore if the variables contain malicious sql then they are still bound in place of the placeholders?
No, the binding process asures that the binding values are a 1:1 match to the value that comes into the database.
So, ‘xxx; DROP TABLE yyy;’ as a value would be the actual value in the varchar field. When not using parameter binding, this code would be executed.