数据库级别的参数化查询会发生什么

Question

I am working on few SQL injection bugs flagged by one of vulnerability scanner and was looking at some of other implementations in application where parameterized queries been used for DB interactions .

I observed in the profiler that all the parameterized queries are actually calling sp_executesql procedure .So,

1) Do all parameterized query implementations with any library are actually just calling this stored procedure ?

2)If no then, is a parameterized query finally converted to just a normal string query and gets executed?

Answer 1

I cannot answer 1). But you can pass the parameter names as well as a varying number of parameters to sp_executesql (Transact-SQL) . So sp_executesql is not a limiting factor here.

2. The database does not create a concatenated string for parametrized queries. It compiles the SQL command string as is, ie with the parameter names and produces an executable query. You can think of it as a method. The parameter values are then passed to this "method" as real parameters.

Besides defeating SQL injection, this has the advantage that the database can cache the compiled query and reuse it the next time the same SQL command is executed, even with different parameter values.

Yet another advantage is that you don't have to care about the right representation of literals. This is especially valuable for date/time literals (which tends to be quite complicated because formats are culture specific and can vary otherwise). You don't need to care about escaping quotes in strings.