Understanding Parameterized SQL in Application Security

A more common term for this is ‘parameterized SQL’. You are still taking user data, as you pointed out, but the security lies in the fact that the application knows what is data, and what is executable.

When you build a SQL statement as a string and pass it in its completed entirety to the database, the application simply has to trust that the SQL command being executed is what you intended, and has not been maliciously modified by user data during construction.

When the user data is passed in separately from the SQL statement as parameters and parameter values, the SQL command can’t be directly modified by user input… It’s separate. The application can tell absolutely what is supposed to be executable, and that nothing in the parameter values should be… It’s all data, and only data.

Leave a Reply

Your email address will not be published. Required fields are marked *