> If so, in another case, if another column named Name, data type is > Varchar(or String), we have sql like below: > > select * from user where name = ? > > and ? has value is 'bowl;drop table foo;--' ... what will happen, Larry ? >
The query would be considered as select * from user where name = 'bowl;drop table foo;--' (I guess it would just return 0 rows) I prepared a long, detailed and complex explanation but then found this short description.. I hope it's enough to clear the doubts.. :-) "For instance, in Java, a secure way to build SQL statements is to construct all queries with PreparedStatement instead of Statement (....) When PreparedStatement is used, most JDBC drivers will prepare a statement with the server, and then supply the parameters separately. In either case, after the initial parsing, there is a clear distinction between the SQL statement and the variable. The variables are encapsulated and special characters within them are automatically escaped in a manner suited to the target database. Consequently, it is impossible for a hacker to pass malicious input and have it treated as if it were the actual SQL statement— which is necessary if the hacker is going to succeed with SQL injection attacks." ( quoted from http://www.devx.com/security/Article/20678/0/page/2 )
