By Deane Barker | May 12, 2005 | 1 Comment
If you’ve ever worked with a database, chances are you know the difference between “dynamic queries” and “parameterized quires”. In the former, you just concatenate a value to your query string (“where col=’” val “’”) and cross your fingers that val isn’t “’; drop database —”.
um, i don’t care if its drop database — or select password where root, that query would break as the variable ‘val’ is being compared to what the field is.
what you need to be concerned with, is if they can add quotes to the val to make it:
select * from table where col=’data OR ‘%”