Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Preventing SQL Injection in DAO Layer

 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Assume that we have data inside the DTOObject


My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ravi,
You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic