Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

how to avoid the SQL injection attack ?

 
Edward Chen
Ranch Hand
Posts: 798
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?

Thanks
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To begin with, be sure to use a PreparedStatement with parameters, rather than using string concatenation to build SQL statements.
 
Lukas Eder
Ranch Hand
Posts: 49
5
Java Oracle Postgres Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Edward Chen wrote:In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?


The first rule of thumb is to never trust user input in your application. This is true regardless if you store data in a database or somewhere else, where content can be interpreted. With JDBC, you don't necessarily need a third-party library to help you there. The simplest way is to use a PreparedStatement along with bind values instead of inline string literals. If you're careful, you could also try to escape inline string literals as such:



Quoting single quote characters. However, there are a couple of edge-cases that you may not think of, so it might be better to use PreparedStatements anyway.

Some third-party libraries like jOOQ or JaQu, or even just JPA help you prevent SQL injection transparently. More insight can be found in this blog post that I've recently written:
http://blog.jooq.org/2012/07/29/database-abstraction-and-sql-injection

It compares various third-party libraries with respect to their helpfulness in preventing SQL injection.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic