• Post Reply Bookmark Topic Watch Topic
  • New Topic

Preventing SQL Injection in DAO Layer

 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assume that we have data inside the DTOObject


My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??
 
Jeanne Boyarsky
author & internet detective
Sheriff
Posts: 36007
422
Eclipse IDE Java VI Editor
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ravi,
You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.
 
What are you doing? You are supposed to be reading this tiny ad!
the new thread boost feature brings a LOT of attention to your favorite threads
https://coderanch.com/t/674455/Thread-Boost-feature
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!