• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

avoid sql injection

 
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what are the methods of avoiding sql injection?
 
Bartender
Posts: 2653
18
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

the most effective and easy method is to bind parameters to an sql statement, in stead of concatenating values into an sql string.
In JDBC, this is done using a PreparedStatement.


Wikipedia has an understandable explanation.

 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i found stored procedure also a one way.is there aby other ways?
 
author
Posts: 4107
28
Google Web Toolkit Eclipse IDE Flex
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not necessarily, SQL injection is about validating input parameters. For example, any SQL query that takes no input parameters is immune to SQL injection.
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so how to validate the input parameter?
is there default in java or sql?

i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't need to validate parameters if you use a PreparedStatement.


i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?


Not sure what you mean by this. How would you use hashing to stop SQL injection?
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i hear from someone.I can't guarntee about that?That's why put it hear?
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I can't think of a way of doing that. Do you have a link to where you read it?
 
anarkali perera
Ranch Hand
Posts: 237
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm assuming you mean the "salted hash" mechanism for protecting data? This isn't really a SQL injection defence (that article, despite its title, is about more than just SQL injection), this is more an extra restriction on sensative data, and the paragraph you mention summarises it quite succinctly.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!