If so, if my varchar contains ; or [ or the keyward "Create" that will get automatically deleted? I don't think that was this simple, what is the mechanism of parameterization to avoid sql injection?
Asked
Active
Viewed 41 times
1 Answers
4
No, it doesn't remove any characters. Rather, it treats those characters as values rather than as code. If you pass in a string with a semicolon or a quote mark or any other meaningful character/keyword then you'll simply end up with a string value that has that semicolon or quote mark or keyword in it.
If you construct the query as a raw string, rather than using a parameterized query, then you need to ensure that the characters are appropriately escaped in order to have the same behavior, and that's a non-trivial task (if you want to support every possibility) which is why parameterized queries exist to handle it for you.
Servy
- 202,030
- 26
- 332
- 449