SQL injection attacks
SQL injection attacks
Posted Mar 30, 2006 17:55 UTC (Thu) by iabervon (subscriber, #722)Parent article: SQL injection attacks
The prepared statement functionality, at least in some databases, is actually even better than this article suggests: it causes the statement with the question marks to be parsed to generate the sequence of database-internal operations which will be performed. Then when the arguments are filled, it doesn't need to escape the strings, because it doesn't unescape them; it doesn't treat any characters specially at this point. Furthermore, since all of the parsing is already done when user input comes in, it can't be induced to perform unexpected operations, because the sequence of operations it will perform is already determined at this point.
Furthermore, it's often faster, because it can cache the execution plan for the query, because all of the "SELECT id FROM users WHERE user=? AND pass=?" parts are identical, and the parsing can be a significant portion of the query time, since there's a bunch of effort in figuring out what's going on, and that the useful optimization for this query is the unique index on users.user.