Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Parameters are used to protect you from malicious user input.
But if the parameter expects a string, is it possible to write input that will be interpreted as sql, so malicious users can use things like ‘DROP’, ‘TRUNCATE’, etc…?
Are there differences in protection between parameters in asp, asp.net, java and others?
See also: Are parameters really enough to prevent SQL injections?
Parameterized queries generally quote the parameter if it is a string behind the scene so that the normal SQL operators are not interpreted as such. This means that even if a user enters potentially malicious data it is simply treated as a string input and not interpreted as SQL operators/commands.
There may be technical differences in how it is implemented in the various frameworks, but the basic idea (and result) is the same.