0

I have come to know that prepared statements are not guarantee to prevent SQL injection.

How can SQL injection be done even using prepared statements?

Mahesh
  • 27
  • 7
  • Look at http://stackoverflow.com/questions/4333015/does-the-preparedstatement-avoid-sql-injection for a more detailed explanation. Simply said: If used correctly, prepared statements protect against SQL Injection. – Norbert Sep 10 '15 at 18:53
  • Others have said prepared statement is necessary but not 100% sufficient. – Mahesh Sep 10 '15 at 19:13
  • 1
    Also note [this answer on Information Security SE](http://security.stackexchange.com/a/44893). – RealSkeptic Sep 10 '15 at 19:25
  • I am not asking how it can prevent it. – Mahesh Sep 10 '15 at 19:32
  • I am asking even still using prepared statement how it can be done – Mahesh Sep 10 '15 at 19:33
  • I have come to know it from one of the legend of stackoverflow. http://stackoverflow.com/users/37213/duffymo – Mahesh Sep 10 '15 at 19:39
  • 1
    Go and read the duplicate, the answer is there. – RealSkeptic Sep 10 '15 at 20:04
  • It is not explained in the question which you are sugesting. http://stackoverflow.com/users/4125191/realskeptic – Mahesh Sep 10 '15 at 20:28
  • 1
    No, it is explained in the first answer. It is also explained in the answer to the question Norbert van Nobelen mentioned. Why are you ignoring those answers? – RealSkeptic Sep 10 '15 at 20:35
  • Thanks! for your response. Please don't force me to accept what I am not asking. – Mahesh Sep 10 '15 at 21:42
  • Still it is the answer (Read the link from @RealSkeptic which is the most extensive): Prepared statement architecture is safe (if used correctly), however software has bugs, so that can still mess everything up. – Norbert Sep 10 '15 at 22:57

0 Answers0