• Post Reply Bookmark Topic Watch Topic
  • New Topic

Blocking characters  RSS feed

 
Dilshan Edirisuriya
Ranch Hand
Posts: 299
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my servlet i have a database insert code which depends on a request parameter. If I enter the " ' " character in the text box it results in SQLException because the string is terminated from that point.
In order to allow the " ' " key what should i do? Should I need to block the key or replace it with " \' " character or is there any mechanism to handle it.

[ August 03, 2007: Message edited by: Dilshan Edirisuriya ]

[ August 03, 2007: Message edited by: Dilshan Edirisuriya ]
[ August 03, 2007: Message edited by: Dilshan Edirisuriya ]
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This means your code in insecure and open to SQL Injection (please look it up).

You should use a PreparedStatement at the back end rather than a Statement.
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See also StringEscapeUtils for an approach that escapes those characters so they can't mess you up.

Are you familiar with SQL injection? Say you built a SQL string like:

sql = "SELECT * FROM USER WHERE USERID = '" + userid + "'"

and somebody entered a userid like:

bob';DELETE FROM USER WHERE USERID != '

Folks who know their way around databases can query the system tables, learn all your table and column names, execute any query they like.
 
Dilshan Edirisuriya
Ranch Hand
Posts: 299
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have heard about SQL injection but i dont know how to get rid of that. Stan what method should i use in StringEscapeUtils class. Is that escapeSQL() ?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Dilshan Edirisuriya:
I have heard about SQL injection but i dont know how to get rid of that.

Look back at David's post.
 
Dilshan Edirisuriya
Ranch Hand
Posts: 299
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I havent used PreparedStatement at all in my code. I have used Statement object instead of that. I think it is hard to change the coding now because there are around 150 classes that use that. So wt should i do? Is it okay if i use StringEscapeUtils class to cope up with that.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not familiar with that library but you will need to insure, somehow that, SQL code entered by a user can never be run in your statements.

In particular, you'll need to make sure that words like UPDATE, DELETE, INSERT, and SELECT are always escaped.
[ August 07, 2007: Message edited by: Ben Souther ]
 
Sundaram Karthick
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
go through this Preventing sql injection, Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver. Even from performance point of view prepared statments are faster than the ones the you use.
Hope this helps
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!