Win a copy of Android Programming: The Big Nerd Ranch Guide this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to ensure SQL-injection isn't possible?  RSS feed

 
Yuriy Zilbergleyt
Ranch Hand
Posts: 429
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I know that with PreparedStatements, values automatically get escaped so a value containing a single quote, for example, won't be a problem. However I'm currently coding for MySQL, in which PreparedStatements are actually slower than Statements (because there's no native support for them I guess.) Is there a function in JDBC somewhere that automatically escapes a parameter so it can be added to a SQL string as a literal?

Similar question for the byte array of a serialized java object. Is it possible to insert one using a normal Statement?

Thank you,
Yuriy
 
Maximilian Xavier Stocker
Ranch Hand
Posts: 381
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The quick answer is no there is not another method. Namely because such escaping is DB dependent which is what PreparedStatements are for.

You should stick with PreparedStatements because the security and portability benefits FAR outweigh any performance hit you are taking.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!