How is SQL injection possible when using bind variables?
My DBA says that using bind variables doesn't fully secure one against SQL injection, but I can't find out how this can be the case, since bind variables especially for strings will usually force the injected SQL to be a string in a WHERE clause.
Example:
SELECT CUST_ID
FROM CUST.CUSTOMER
WHERE FIRST_NAME=:FNAME;
If FNAME="SELECT FNMAME WHERE CUST_ID=10040", the database will run the following query
SELECT CUST_ID
FROM CUST.CUSTOMER
WHERE FIRST_NAME="SELECT FNMAME WHERE CUST_ID=10040";
which will return 0 rows.
I scoured the Internet for an answer to this question and even this site, but I couldn't find it.
Thanks again.
Strictly speaking is SQL injection indeed possible when using bind variables. The query below use BV and can be subject of SQL injection in case the parameter column_list is manipulated.
'select' + column_list + ' from T where col :1'
So what is missing is using bind variables in a statical query and avoiding statement concatination using parameters e.g. for column list.