" SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (�) to the parameters, it is possible to cause a second query to be executed with the first. "
We use Statement and Prepared Statement a lot in out web based and independent applictions. Statements ========== Here I feel there is a possiblity of SQL Query can be Injected by an attacker so that he can either make the dbms to disclose the confidential data or even delete the records. Suppose we have a query String query= "SELECT * from employee"; which is some how accessible thru a JSP page. An intellegent Attacker can modify the query like "SELECT * from employee; Delete * from employee"; This is the one of the major issues faced by web sited developed in ASP. I heard if you use PreparedStatement we could work around the problem. Does anybody face the problem like this.. Do we have safe mechanism in java if we have to use Statement?
Originally posted by Sainudheen Mydeen: Can SQL-injection be done with JSP?
If you write a poorly configured application, sure. Do you give admin access to your web account? Do you allow quotes in user ids or passwords? Prepared statements or stored procedures would make you less vulnerable.