|
Title: [question]understanding parameterized queries ? Post by: manoj9372 on February 27, 2013, 02:12:59 AM hi guys,
i have some questions as usual,so tought of asking here i am trying to understand the parameterized query here is the simple source link i had used Code: http://www.lavamunky.com/2011/11/why-parameterized-queries-stop-sql.html Now let me explain my understanding,correct me where ever i am wrong say there is a query logic exists in the application like this sqlQuery='SELECT * FROM custTable WHERE User=' + Username + ' AND Pass=' + password and say a user supplies a arbitrary query with the user name it gets executed in the db,(right?) like this sqlQuery='SELECT * FROM custTable WHERE User='' OR 1=1-- ' AND PASS=' + password and say there is a code for parameterized query in the application like this parameters.add("User", username) parameters.add("Pass", password) sqlQuery='SELECT * FROM custTable WHERE User=? AND Pass=?' And the application sends the username and password from the parameters "user" and "pass" right ? and even if the user submits the query like this sqlQuery='SELECT * FROM custTable WHERE User=Nobody OR 1=1'-- AND Pass=?' (the article says)it wont get executed as a query,i am confused at this point, i)why this query didn't produce the results that i expect ? ii) or does the application stores whatever we supply in the"user" and "pass" as a string instead of query in the db? iii)how secure the parameterized queries are ? and how we can bypass it ? Title: Re: [question]understanding parameterized queries ? Post by: MaXe on February 27, 2013, 03:57:04 AM You should consider posting your message on one forum first, and then wait a bit, before posting it across multiple forums. I've already replied on InterN0T.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |