• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

avoid sql injection

 
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
what are the methods of avoiding sql injection?
 
Bartender
Posts: 2661
19
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

the most effective and easy method is to bind parameters to an sql statement, in stead of concatenating values into an sql string.
In JDBC, this is done using a PreparedStatement.


Wikipedia has an understandable explanation.

 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i found stored procedure also a one way.is there aby other ways?
 
author
Posts: 4335
39
jQuery Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not necessarily, SQL injection is about validating input parameters. For example, any SQL query that takes no input parameters is immune to SQL injection.
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
so how to validate the input parameter?
is there default in java or sql?

i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You don't need to validate parameters if you use a PreparedStatement.


i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?


Not sure what you mean by this. How would you use hashing to stop SQL injection?
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i hear from someone.I can't guarntee about that?That's why put it hear?
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can't think of a way of doing that. Do you have a link to where you read it?
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
read 5 th paragraph
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm assuming you mean the "salted hash" mechanism for protecting data? This isn't really a SQL injection defence (that article, despite its title, is about more than just SQL injection), this is more an extra restriction on sensative data, and the paragraph you mention summarises it quite succinctly.
 
reply
    Bookmark Topic Watch Topic
  • New Topic