This question already has an answer here:
-
*
/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks
/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks
7 answers
Answers
Basically, you re making the distinction between data and the actual code (query part) very clear. You re telling the SQL server: this is clearly data and this is clearly code.
This way, you re basically skipping the part where the server has to pull apart the code and data from your query so there s no chance the server can misinterpret bits of data as part of your query.
http://stackoverflow.com/a/8265319/268025 http://stackoverflow.com/a/8265319/268025
Source
License : cc by-sa 3.0
http://stackoverflow.com/questions/23387924/how-does-separated-clause-and-args-protect-against-sql-injection