Jump to content

  • Log In with Google      Sign In   
  • Create Account


#ActualMatias Goldberg

Posted 08 April 2013 - 03:16 PM

The 2nd option already knows the input is a parameter and there's no doubt it can't be part of the command in the statement, so SQL injection is not possible.

 

In the 1st option, you would have to properly escape the string, and there's the risk that you're not escaping it properly.


#1Matias Goldberg

Posted 08 April 2013 - 03:15 PM

The 2nd option already knows the input is a parameter and there's not doubt it could be part of command in the statement, so SQL injection is not possible.

 

In the 1st option, you would have to properly escape the string, and there's the risk that you're not escaping it properly.


PARTNERS