aspose file tools*
The moose likes JDBC and the fly likes SQL Injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "SQL Injection" Watch "SQL Injection" New topic
Author

SQL Injection

ford Darcy Jr
Ranch Hand

Joined: Jan 26, 2005
Posts: 76
Hi,

How can I avoid the effects of SQL injection in my webapp. I am using servlets to develop my application. I am also using prepared statements. My query goes something like this:

Select * from tablename where column1 like '%" + Column1 + "%';

Can anybody please suggest how to modify my sql query to avoid sql injection effects.

Thanks.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61238
    
  66

This is much more of a JDBC question than one on servlets. I'll recommend that this be moved.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61238
    
  66

You say that you are using a prepared statement, and yet



you are not taking advantage of the parameterization.

Rather



and use the setString() method to set the value of the ?.
[ August 09, 2005: Message edited by: Bear Bibeault ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: SQL Injection