Yeah. It’s still possible to program in such a way that that works, and it’s always been possible to program in such a way that it doesn’t work. But prepared statements make it easier to program in such a way that it doesn’t work, by allowing the programmer to pass executable code (which is probably directly embedded as a literal in their application language) separately from the parameters (which may be user-supplied).
(I could imagine a SQL implementation forbidding all strings directly embedded in queries, and requiring them to be passed through prepared statements or a similar mechanism. That still wouldn’t make these attacks outright impossible, but it would be an added layer of security.)
Yeah. It’s still possible to program in such a way that that works, and it’s always been possible to program in such a way that it doesn’t work. But prepared statements make it easier to program in such a way that it doesn’t work, by allowing the programmer to pass executable code (which is probably directly embedded as a literal in their application language) separately from the parameters (which may be user-supplied).
(I could imagine a SQL implementation forbidding all strings directly embedded in queries, and requiring them to be passed through prepared statements or a similar mechanism. That still wouldn’t make these attacks outright impossible, but it would be an added layer of security.)