1

Possible Duplicate:
How prepared statements can protect from SQL injection attacks?

I read that using parameterized queries will guarantee you to be 100% safe from sql injection, but I'm not so sure. If you guys think that it's completely safe, please explain why and vice versa

Cœur
  • 37,241
  • 25
  • 195
  • 267
siaooo
  • 1,827
  • 3
  • 23
  • 25
  • @Col.Shrapnel: I meant it's not an excuse to not sanitise or validate, or not use prepared statements for internal queries because you "trust the source" – Leigh Feb 11 '12 at 12:19
  • @Leigh you have to state that it doesn't help against **other kinds of attacks**. Because right now your comment looks like that some "bad data" bay be used to break a prepared statement. – Your Common Sense Feb 11 '12 at 12:22

1 Answers1

0

In most cases - yes, but if you plan to build your own dynamic queries inside your parametrized query - obviously - no.

Oleg Dok
  • 21,109
  • 4
  • 45
  • 54