One thought on “Can sql server injections be prevented using Parameters?

  1. Using Parameter placeholders do prevent Sql Server injections. This is due to the fact that the attacker cannot pass any data that would be treated like live SQL because the parameters where the data comes from will be escaped properly. Since the data inside the parameters is escaped and quoted as string literals you cannot use functions, column names or table names.

Comments are closed.