Edward Chen wrote:In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?
The first rule of thumb is to never trust user input in your application. This is true regardless if you store data in a database or somewhere else, where content can be interpreted. With
JDBC, you don't necessarily need a third-party library to help you there. The simplest way is to use a
PreparedStatement along with bind values instead of inline string literals. If you're careful, you could also try to escape inline string literals as such:
Quoting single quote characters. However, there are a couple of edge-cases that you may not think of, so it might be better to use PreparedStatements anyway.
Some third-party libraries like
jOOQ or
JaQu, or even just JPA help you prevent SQL injection transparently. More insight can be found in this blog post that I've recently written:
http://blog.jooq.org/2012/07/29/database-abstraction-and-sql-injection
It compares various third-party libraries with respect to their helpfulness in preventing SQL injection.