Menu
In PHP, I've found a few methods to prevent Sql Injection. Binding parameters is one of them. But I'm unable to find a complete explanation of how binding parameters actually prevent Sql Injection. I was of the notion that binding parameters simply save time in binding different data to the same Sql statement. How does prevention of Sql injection come into picture?
275
By using bind variables exclusively in your code, you avoid concatenating SQL statements and thereby prevent malicious users from altering or injecting additional statements. Oracle database uses the value of the bind variable exclusively and does not interpret its contents in any way.
Parametrized queries This method makes it possible for the database to recognize the code and distinguish it from input data. The user input is automatically quoted and the supplied input will not cause the change of the intent, so this coding style helps mitigate an SQL injection attack.
Bind parameters—also called dynamic parameters or bind variables—are an alternative way to pass data to the database. Instead of putting the values directly into the SQL statement, you just use a placeholder like ? , :name or @name and provide the actual values using a separate API call.
A parameter binding is a piece of information that is transmitted from the origin to the destination of a flow. A parameter binding has a name and a value, which is obtained at its origin component. A flow may have a multiple parameter binding, passing a set of values instead of a single one.
I think a simple example will explain you the thing:
"select * from myTable where name = " + condition;
imagine that user input as a condition is
'123'; delete from myTable; commit;
what happens then? the query executed will be
select * from myTable where name = '123'; delete from myTable; commit;
or actually we have three queries with disastrous consequences:
select * from myTable where name = '123';
delete from myTable;
commit;
in case of bind variables
"select * from myTable where name = @prmName"
whatever user input is it'll be one and only one query and the weird input above will always be treated as a string, not as a part of query. The outcome will be (most probably) an empty cursor, since there're no names within myTable like
"'123'; delete from myTable; commit;"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
