Avoiding SQL Injection using Parameters

Question

SQL injection can be avoided by using Parameters is a well known fact. I just want a detailed idea of how it works. Thanks in Advance.

Vulpes · Answer

When you use parameters the database server itself constructs the full query before executing it. It already knows what the query is going to do and that the parameters are just placeholders for data not SQL commands. Consequently there is no chance that when the actual data is inserted it will change the nature of the query and since it also knows the type of the data any mismatch will be immediately detected and an error flagged up.

Murugesh P · Answer

Its simple and clear. Thanks a lot.