hi guys,
i have some questions as usual,so tought of asking here
i am trying to understand the parameterized query
here is the simple source link i had used
http://www.lavamunky.com/2011/11/why-parameterized-queries-stop-sql.html
Now let me explain my understanding,correct me where ever i am wrong
say there is a query logic exists in the application like this
sqlQuery='SELECT * FROM custTable WHERE User=' + Username + ' AND Pass=' + password
and say a user supplies a arbitrary query with the user name it gets executed in the db,(right?)
like this
sqlQuery='SELECT * FROM custTable WHERE User='' OR 1=1-- ' AND PASS=' + password
and say there is a code for parameterized query in the application like this
parameters.add("User", username)
parameters.add("Pass", password)
sqlQuery='SELECT * FROM custTable WHERE User=? AND Pass=?'
And the application sends the username and password from the parameters "user" and "pass" right ?
and even if the user submits the query like this
sqlQuery='SELECT * FROM custTable WHERE User=Nobody OR 1=1'-- AND Pass=?'
(the article says)it wont get executed as a query,i am confused at this point,
i)why this query didn't produce the results that i expect ?
ii) or does the application stores whatever we supply in the"user" and "pass" as a string instead of query in the db?
iii)how secure the parameterized queries are ? and how we can bypass it ?
Tools : Symbolic Exploit Assistant project is looking for collaborators
