Scribd
Upload
22 views3 pages

Prepared Statement:: Topic Class Mode Week

The document discusses how prepared statements in SQL can prevent SQL injection by not allowing user input to change the intent of a query. It explains that prepared statements separate the query structure from any values supplied, and these are compiled separately by the database to increase security. Stored procedures and input validation are also recommended for additional security.

Uploaded by

manar thani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views3 pages

Prepared Statement:: Topic Class Mode Week

The document discusses how prepared statements in SQL can prevent SQL injection by not allowing user input to change the intent of a query. It explains that prepared statements separate the query structure from any values supplied, and these are compiled separately by the database to increase security. Stored procedures and input validation are also recommended for additional security.

Uploaded by

manar thani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

ch4

TOPIC privent SQL

CLASS MODE STUDY

WEEK week11

prepared statement :
Prepared statements are resilient against SQL injection as an attacker cannot
change the intent of a query.

photo1

ch4 1
if we try to write malisios input , 12345 OR 1=1 he wont take the OR like boolean
operator.
when we create the prepared statement we write a full query and we left certain
values empty,(parameters) replaced with[?]
like in the photo1.

How Prepared Statements Work:

1. Prepare the query .

2. compile : The database engine compiles the prepared statements.

3. execute : after the compiler we expected the prepared statement into the
database.

Use Stored Procedure:


Stored procedures are programs saved on the database server.
A stored procedure is a prepared SQL code that you can save, so the code can
be reused over and over again.

ch4 2
Avoid Writing Pure SQL – Security Use LINQ:

Input Validation or Restriction:


Allow Users to Select Data from Whitelist.

Escaping All User Supplied Input:


A character preceded by backslash (\) is called an
escape sequence.
•It has a Special Meaning to the Compiler

ch4 3

You might also like