Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

SQL injection issue in java code

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have below main method which shows SQL injection flaw (as string concatenation is done here) when scanned for coding standards/rules.
   
I want to remove the SQL injection flaw. As my `name` parameter is dynamic, I cannot set it with `preparedStatement`. What can be a optimal solution to this?

NOTE: Using 2 different queries in `if-else` block will not solve the purpose as I have 7 different parameters to be set dynamically which will introduce overhead as there will be many queries.
 
Ranch Hand
Posts: 230
IntelliJ IDE Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I recommend Parameterized Queries:



Above code would be useful
 
Saloon Keeper
Posts: 7169
165
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It is a SQL injection vulnerability only if the dynamic parts of the query aren't checked before being used. If the code ensures that neither "name" nor "subName" contains anything that upsets the SQL statement, then there is no vulnerability.

Santosh Kumar Nayak wrote:...I recommend Parameterized Queries...


Prepared statements do not work in this case, as Abhishek already mentioned.
 
author & internet detective
Posts: 40796
828
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A static analysis tool can only tell you about a *potential* issue. Picture the tool telling you "I can't certify this; can you human take another look."

You need to whitelist the parameter field name to ensure it is safe. For example, you might check it only contains letters.
 
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Moores wrote:
Prepared statements do not work in this case, as Abhishek already mentioned.



Well, they do, but it takes a little more work.
You build up the queryand then assign the parameters in a loop, exactly how depends on where the search criteria is coming from, but a List of Field Name/Search Value is one.
That's how a lot of search queries work, where you don't know exactly what fields are going to be queried on.
reply
    Bookmark Topic Watch Topic
  • New Topic