Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

avoid sql injection

 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what are the methods of avoiding sql injection?
 
Jan Cumps
Bartender
Posts: 2596
12
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

the most effective and easy method is to bind parameters to an sql statement, in stead of concatenating values into an sql string.
In JDBC, this is done using a PreparedStatement.


Wikipedia has an understandable explanation.

 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i found stored procedure also a one way.is there aby other ways?
 
Scott Selikoff
author
Saloon Keeper
Posts: 4020
18
Eclipse IDE Flex Google Web Toolkit
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not necessarily, SQL injection is about validating input parameters. For example, any SQL query that takes no input parameters is immune to SQL injection.
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so how to validate the input parameter?
is there default in java or sql?

i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't need to validate parameters if you use a PreparedStatement.


i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?

Not sure what you mean by this. How would you use hashing to stop SQL injection?
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i hear from someone.I can't guarntee about that?That's why put it hear?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can't think of a way of doing that. Do you have a link to where you read it?
 
anarkali perera
Ranch Hand
Posts: 237
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm assuming you mean the "salted hash" mechanism for protecting data? This isn't really a SQL injection defence (that article, despite its title, is about more than just SQL injection), this is more an extra restriction on sensative data, and the paragraph you mention summarises it quite succinctly.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic