Well actually Kunals your freind in this case is wrong because let me tell you why.

I have sql injected hundreds of websites each year and you state that your freind knows that the admins know this trick and fixes it? If they know this trick t hen how come there sites are still vunerable? and yet there are 100000000000 of vunerbilities into website that are considered SQL injection?