Reputation:
Internal vs Extenal use of parameterized sql command
In terms of SQL injection, I understand why parameterizing a string parameter is important. But is it acceptable or justified to not parameterize a command when working with let's say a database dependent software for a company which is primarily targeted on internal use rather than that of external influence?
Upvotes: 1
Views: 31
Answers (1)
Reputation: 157839
Like I always say, you need it not for Bobby Tables but for Sarah O'Hara. It is syntactically correct SQL query what you have from the prepared statement in the first place, while protection is just a side effect. It's the destination that matters. You have to mind the SQL query where your data goes into. While the data source should the last thing to consider.
Besides, I don't see a point in bargaining. What you're trying to buy for yourself here? Are parameters that hard for you? Well, blame the library you are using. A properly implemented a parametrized query is a simplest way to run a query.
Upvotes: 3
Related Questions
- Benefits of use parameters instead of concatenation
- How do parameterized queries help against SQL injection?
- Why do we always prefer using parameters in SQL statements?
- Can I still use parameters for sql command?
- How "parameterized queries/prepared statements" better in SQL injection than escaping user input
- SQL injection concatenation vs parameter
- Dynamically created SQL vs Parameters in SQL Server
- parameterized queries vs. SQL injection
- SQL Parameterization vs. Escaping
- Parameterized SQL statements vs. very simple method