adam's notes

Parameterized Queries

Parameterized query is a technique that defends against SQL injection by incorporating placeholders in a SQL query.

  • websites with a database backend should incorporate this
    • to defend against code injection and insecure object reference
  • is a type of output encoding
  • a query is parameterized when it incorporates placeholders for some of its parameters
    • when the query is executed, the web app binds the actual values to these parameters in a different statement
    • i.e., a ? in a parameterized query would be interpreted as a literal character and not as a part of a command operator
  • when a user’s input is taken as a single parameter in a pre-built statement
    • rather than a user typing out their own statement

Graph View

Backlinks