Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I avoid all SQL-injection attacks by using parameters?

Can I avoid all SQL-injection attacks by using parameters?
And don't worry about any thing in SQL injection in this case?
Or are there some types of these attacks which require more care on the part of the programmer?

like image 253
Mohamad Alhamoud Avatar asked Sep 17 '10 15:09

Mohamad Alhamoud


2 Answers

No, you can't avoid all SQL injection attacks by using parameters. Dynamic SQL is the real issue, and this can occur in stored procedures as well as in your application code.

E.g., this is prone to a SQL injection attack: your parameterized query passes a username to a stored procedure, and within the stored procedure the parameter is concatenated to a SQL command and then executed.

For an example of many kinds of SQL injection attacks, see this SQL Injection Cheat Sheet. You will see that simply escaping single quotes is just scratching the surface, and that there are many ways around that.

like image 170
D'Arcy Rittich Avatar answered Nov 06 '22 06:11

D'Arcy Rittich


Yes and no. Yes, if all of your SQL statements are indeed static and use only parameters, then you're 100% protected from SQL injection attacks.

The problem comes when the parameters themselves are used to construct dynamic SQL statements. An example would be a stored procedure that generates a SQL statement dynamically for querying a multitude of different options, where a single monolithic statement would be impractical. While there are better solutions to this problem, this is a common one.

like image 43
Adam Robinson Avatar answered Nov 06 '22 05:11

Adam Robinson