StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
11433494
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2012-07-11T13:14:02.697
FavoriteCount
0
LastActivityDate
2012-07-11T13:14:02.697
LastEditDate
LastEditorUserId
0
OwnerUserId
53341
ParentId
11433054
PostTypeId
2
Score
1
ViewCount
0
LastEditorDisplayName
text
Body
If you use parameterised queries the query and the data are supplied to the database separately. This has several effects... <ul> <li>It allows the RDBMS to see that the query is identical to previous instances of that query. (If you embed the data as static values in the query string, the RDBMS will not see that the query is the same and only the data has changed.) This allows execution plan re-use and other beneficial characteristic of the RDBMS.</li> <li>It simplifies the data validation. This is relevant to injection attacks. No matter what values are substituted into the parameter, the data is always just data. It will never be treated as part of the query.</li> </ul> This latter point, however, also means that you can't do this... <pre><code>INSERT INTO @tableName(@fieldName) VALUES (@dataValue) </code></pre> Each parameter is treated as a data item. It isn't a loosely bound script, the value in <code>@tableName</code> won't be substituted into the script. The query must be hard-coded with the table and field names. Only true data items can be passed as parameters. This often feels like a limitation to users of java script, etc. It is, however, the mecahnism that prtects you from SQL Injection attacks. It's a good thing :) This means that to allow user defined Data Definition Lanaguage (Such as a CREATE TABLE) you need to concatenate the different parts of the string together yourself. And virtually no matter what you do to protect yourself from a SQL Injection Attack here, some-one will find a way through. As soon as you allow a user to specify table names, field names, etc, you become immediately open to attack. The only safe way is to have a white-list of allowable strings.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. PODo parameterized statements actually change that data that is stored in the database to prevent SQL Injection?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USMatBailie
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. PODo parameterized statements actually change that data that is stored in the database to prevent SQL Injection?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COThanks for the answer. Yes, having a white list of allowable strings is the alternative I chose. Basically just have another table that I have a user input as a column and table names that I've determined as a table name.
 singulars
 PostPostId
 PO
 UserUserId
 USARC

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.