is there error in lack of sql injection attack?
https://stackoverflow.com/questions/9150008
-
22-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If we use best secure way for executing query such as prepared statement or parameterized query to prevent SQL injection attacks, is there guarantee to not any database error occure in executing it? for example, sending invalid parameter for a given type in inserting record, cause error instead of use default value. can you bring an example?
Solution
One example, where parameterised queries doesn't prevent database errors is a user could provide input so long it won't fit inside the database type such as a 100,000 words essay in a username field limited to 50 characters.
Also, parameterised queries won't protect against duplicate primary key errors, if say, a username they request on a registration form is already taken.
parameterised queries only ensure the values aren't interpreted as SQL, it won't prevent any other form of error (such as the SQL statement failing because the database is out of disk space)
OTHER TIPS
This depends on the database you're using but yes in general, the conversions that happens depending on types and such are often implicit, so you could very well pass in strings that could fail at run-time to convert to a proper value.
As far as SQL injection attacks goes, as long as you don't expect parameters to contain SQL which you then invoke dynamically, you're safe.
No there is no guarantee that some runtime error (think, 'trigger' if nothing else) will go off.
