0

I read online that SQL injection is possible through parameterized queries but I didn't find anything about how to do it. Does someone know how it's possible to SQL inject parameterized queries?

For parameterized queries I mean this:

'SELECT * FROM users WHERE username = ? AND password = ?', [user, password], ...

shooter
  • 1
  • 1
  • 3
    Where did you read that? – Uwe Keim Jun 26 '22 at 19:41
  • 1
    Please include the source of that hearsay. – The Impaler Jun 26 '22 at 19:49
  • Uwe Keim, the impaler, i read it in here: https://stackoverflow.com/questions/6786034/can-parameterized-statement-stop-all-sql-injection – shooter Jun 26 '22 at 20:03
  • JoelCrypto yes, thank you – shooter Jun 26 '22 at 20:05
  • I wrote one of the answers that said there are edge cases of dynamic SQL where parameters cannot be used, therefore parameters can't solve _all_ SQL injection vulnerabilities. Nevertheless, parameters are effective and the best option for many cases. For the cases where parameters cannot be used, such as identifiers and expressions and keywords, a common solution is to use allow-listing. – Bill Karwin Jun 26 '22 at 22:24
  • SQL Injection occurs when a somewhat careless or naive developer implements Dynamic SQL. Dynamic SQL essentially a technique where you concatenate strings to produce SQL statements. Now, prepared statements prevent this to happen for most use cases, **but not all of them**. For example, DB2 does not accept parameters for the LIMIT-equivalent clause; or you need to query a table which name is known at runtime only. You need to use Dynamic SQL for those cases; sanitize input carefully. Also, you may need to use a badly crafted stored procedure that assembles queries on the fly. Beware. – The Impaler Jun 27 '22 at 14:13

0 Answers0