• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

how to avoid the SQL injection attack ?

 
Ranch Hand
Posts: 798
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?

Thanks
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
To begin with, be sure to use a PreparedStatement with parameters, rather than using string concatenation to build SQL statements.
 
Ranch Hand
Posts: 50
5
Oracle Postgres Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Edward Chen wrote:In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?



The first rule of thumb is to never trust user input in your application. This is true regardless if you store data in a database or somewhere else, where content can be interpreted. With JDBC, you don't necessarily need a third-party library to help you there. The simplest way is to use a PreparedStatement along with bind values instead of inline string literals. If you're careful, you could also try to escape inline string literals as such:



Quoting single quote characters. However, there are a couple of edge-cases that you may not think of, so it might be better to use PreparedStatements anyway.

Some third-party libraries like jOOQ or JaQu, or even just JPA help you prevent SQL injection transparently. More insight can be found in this blog post that I've recently written:
http://blog.jooq.org/2012/07/29/database-abstraction-and-sql-injection

It compares various third-party libraries with respect to their helpfulness in preventing SQL injection.
 
reply
    Bookmark Topic Watch Topic
  • New Topic