Parameterized SQL statements vs. very simple method

Posted by Philipp G on Stack Overflow See other posts from Stack Overflow or by Philipp G
Published on 2010-04-28T15:25:10Z Indexed on 2010/04/28 15:43 UTC
Read the original article Hit count: 354

Filed under:
|
|
|

When I started to write the first SQL-Statements in my programs I felt quite comfortable with protecting myself against SQL-Injection with a very simple method that a colleague showed me. It replaced all single quotes with two single quotes.

So for example there is a searchfield in which you can enter a customername to search in the customertable. If you would enter

Peter's Barbershop

The SELECT Statement would look like

SELECT *
FROM Customers
WHERE Customername = 'Peter''s Barbershop'

If now an attacker would insert this:

';DROP TABLE FOO; --

The statement would look like:

SELECT *
FROM Customers
WHERE Customername = ''';DROP TABLE FOO;--'

It would not drop any table, but search the customertable for the customername ';DROP TABLE FOO;-- which, I suppose, won't be found ;-)

Now after a while of writing statements and protecting myself against SQL-Injection with this method, I read that many developers use parameterized statements, but I never read an article where "our" method was used. So definitely there is a good reason for it.

What scenarios would parameterized statements cover but our method doesn't? What are the advantages of parameterized statements compared to our method?

Thanks
Philipp

© Stack Overflow or respective owner

Related posts about sql

Related posts about sql-injection