Which is the only proven way to prevent SQL Injection
Explanation
Query parametrization is the only way of preventing SQL injections into the database.
By using of parameters we can avoid SQL injection. If we don't use parameters , intruders will inject hursh content to destory or capture your database like this . SELECT * FROM tbllogin WHERE UserId = 6 OR 1=1; SELECT * FROM tbllogin; DROP TABLE tbllogin
Theory
  • SQL Injection

    SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
    Injected SQL commands can alter SQL statement and compromise the security of a web application.
    Read more: SQL Injection
  • SQL Injection - Parameters for Protection

    Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.
    This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input. (In fact it should be perfectly legal to input an SQL statement in a database field.)
    The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters.
    SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
    Read more: SQL Injection

Follow CodeGalaxy

Mobile Beta

Get it on Google Play
Send Feedback
Keep exploring
SQL quizzes
Cosmo
Sign Up Now
or Subscribe for future quizzes