I have come to know that prepared statements are not guarantee to prevent SQL injection.
How can SQL injection be done even using prepared statements?
Asked
Active
Viewed 117 times
0
-
Look at http://stackoverflow.com/questions/4333015/does-the-preparedstatement-avoid-sql-injection for a more detailed explanation. Simply said: If used correctly, prepared statements protect against SQL Injection. – Norbert Sep 10 '15 at 18:53
-
Others have said prepared statement is necessary but not 100% sufficient. – Mahesh Sep 10 '15 at 19:13
-
1Also note [this answer on Information Security SE](http://security.stackexchange.com/a/44893). – RealSkeptic Sep 10 '15 at 19:25
-
I am not asking how it can prevent it. – Mahesh Sep 10 '15 at 19:32
-
I am asking even still using prepared statement how it can be done – Mahesh Sep 10 '15 at 19:33
-
I have come to know it from one of the legend of stackoverflow. http://stackoverflow.com/users/37213/duffymo – Mahesh Sep 10 '15 at 19:39
-
1Go and read the duplicate, the answer is there. – RealSkeptic Sep 10 '15 at 20:04
-
It is not explained in the question which you are sugesting. http://stackoverflow.com/users/4125191/realskeptic – Mahesh Sep 10 '15 at 20:28
-
1No, it is explained in the first answer. It is also explained in the answer to the question Norbert van Nobelen mentioned. Why are you ignoring those answers? – RealSkeptic Sep 10 '15 at 20:35
-
Thanks! for your response. Please don't force me to accept what I am not asking. – Mahesh Sep 10 '15 at 21:42
-
Still it is the answer (Read the link from @RealSkeptic which is the most extensive): Prepared statement architecture is safe (if used correctly), however software has bugs, so that can still mess everything up. – Norbert Sep 10 '15 at 22:57