Title: [question]understanding parameterized queries ?
Post by: manoj9372 on February 27, 2013, 02:12:59 AM
i have some questions as usual,so tought of asking here
i am trying to understand the parameterized query
here is the simple source link i had used
Now let me explain my understanding,correct me where ever i am wrong
say there is a query logic exists in the application like this
sqlQuery='SELECT * FROM custTable WHERE User=' + Username + ' AND Pass=' + password
and say a user supplies a arbitrary query with the user name it gets executed in the db,(right?)
sqlQuery='SELECT * FROM custTable WHERE User='' OR 1=1-- ' AND PASS=' + password
and say there is a code for parameterized query in the application like this
sqlQuery='SELECT * FROM custTable WHERE User=? AND Pass=?'
And the application sends the username and password from the parameters "user" and "pass" right ?
and even if the user submits the query like this
sqlQuery='SELECT * FROM custTable WHERE User=Nobody OR 1=1'-- AND Pass=?'
(the article says)it wont get executed as a query,i am confused at this point,
i)why this query didn't produce the results that i expect ?
ii) or does the application stores whatever we supply in the"user" and "pass" as a string instead of query in the db?
iii)how secure the parameterized queries are ? and how we can bypass it ?
Title: Re: [question]understanding parameterized queries ?
Post by: MaXe on February 27, 2013, 03:57:04 AM
You should consider posting your message on one forum first, and then wait a bit, before posting it across multiple forums. I've already replied on InterN0T.