Menu
Are Parametrize Queries in .NET safe from SQL Inject? That is, does .NET automatically escape dangerous characters when you use Parameters?
901
When you use parameters, they typically won't be sent as text in the first place. They can use the native wire protocol for the database. If the parameter is a text parameter itself, then it will typically be encapsulated appropriate in the protocol so that the database knows it's a parameter rather than SQL.
While I guess a provider could just translate the parameters into a full SQL statement, it would be an awful way of doing things.
So basically "yes" - parameterised queries are effectively safe from SQL injection attacks, so long as you don't have stored procedures dynamically executing your parameters as SQL, etc.
85
When you use parameters, .Net's SQL client will send the parameter values to SQL server in the raw TDS stream.
However, this does not protect you from bad SQL.
If your SQL calls EXECUTE with a string that contains a concatenated parameter, you'll still be vulnerable.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
