[question]understanding parameterized queries ?



Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Wed Feb 27, 2013 3:12 am

[question]understanding parameterized queries ?

hi guys,
i have some questions as usual,so tought of asking here

i am trying to understand the parameterized query

here is the simple source link i had used

Now let me explain my understanding,correct me where ever i am wrong

say there is a query logic exists in the application like this

sqlQuery='SELECT * FROM custTable WHERE User=' + Username + ' AND Pass=' + password

and say a user supplies a arbitrary query with the user name it gets executed in the db,(right?)

like this

sqlQuery='SELECT * FROM custTable WHERE User='' OR 1=1-- ' AND PASS=' + password

and say there is a code for parameterized query in the application like this

parameters.add("User", username)
parameters.add("Pass", password)

sqlQuery='SELECT * FROM custTable WHERE User=? AND Pass=?'

And the application sends the username and password from the parameters "user" and "pass" right ?

and even if the user submits the query like this

sqlQuery='SELECT * FROM custTable WHERE User=Nobody OR 1=1'-- AND Pass=?'

(the article says)it wont get executed as a query,i am confused at this point,

i)why this query didn't produce the results that i expect ?

ii) or does the application stores whatever we supply in the"user" and "pass" as a string instead of query in the db?

iii)how secure the parameterized queries are ? and how we can bypass it ?


User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 27, 2013 4:57 am

Re: [question]understanding parameterized queries ?

You should consider posting your message on one forum first, and then wait a bit, before posting it across multiple forums. I've already replied on InterN0T.
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: cyber.spirit and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software