SQL injections with prepared statements?

Question

If I remember correctly, I think Jeff has mentioned in the Stack Overflow podcast a possible weakness in SQL prepared statements. I\'m wondering what kind(s) of weakness(es)

Answer 1

If the statement that is prepared has the parameters dynamically constructed in any way, then that would more than likely be the source of the weakness.

If you use a proper database library with tested classes for setting parameters, then you don't open yourself up to a SQL injection at any point, prepared statement or not.

Remember, just because a statement is prepared, or because you are using a stored procedure, it doesn't mean that you are safe from injection attacks. It is only when you are using database provider code which will sanitize the input of parameters (as well as applying it to all parameters that can be used) that you gain protection from SQL injection.