Why does using parameterized queries or entity framework prevent sql injection?

Question

I've got a good grasp on SQL injection. It's when a SQL query that is supposed to be something like

SELECT FirstName, LastName 
FROM Customers 
WHERE CustomerId = @valueFromApplication

Gets turned into a query like

SELECT FirstName, LastName 
FROM Customers 
WHERE CustomerId = '' ; DROP DATABASE Foo --

When the user inserts a malicious value into your app, website, client, whatever.. I'm also aware that instead of just dropping the DB the attacker can try to discover the names of tables and get info out of them.

I also know some things that help prevent this are:

1. Using stored procedures which take parameters (SQL Server)
2. Using parametrized SQL queries
3. Using Entity Framework / LINQ to Entities (C#, maybe F#?)

How do these things actually prevent SQL injection from occurring? Why can't the attacker just pass the same malicious value into whatever input he or she is already using and have the same result.

Answer 1

Your first example is parameterised and is not vulnerable to SQL injection.

Parameterised queries aren't simply replaced by the server with values (like you might do manually replacing @var with value). They are sent and received exactly as you sent it.. with @valueFromApplication.

The server will parse the query.. and when it gets to a variable it will look up the value supplied. If that value is '' ; DROP DATABASE Foo --.. then that becomes the value it uses. It doesn't parse that.. it just uses it as text/number/whatever type it is.

To add about Entity Framework, it internally uses Parameterised query so it is also SQL injection safe.

Answer 2

Parameters are not simply replaced in-line into the SQL - they are sent separately from the query to the SQL Server.

So, SQL Server gets something like:

Query:
   SELECT FirstName, LastName FROM Customers WHERE CustomerId = ?
Parameter 1:
   '' ; DROP DATABASE Foo --

And therefore it compiles a query that checks for a customer whose CustomerId is literally equal to '' ; DROP DATABASE Foo --. The parameter value is never executed as SQL.