This week's book giveaway is in the Agile and other Processes forum.
We're giving away four copies of The Mikado Method and have Ola Ellnestam and Daniel Brolund on-line!
See this thread for details.
The moose likes JDBC and the fly likes SQL Injection Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Databases » JDBC
Reply Bookmark "SQL Injection" Watch "SQL Injection" New topic
Author

SQL Injection

ford Darcy Jr
Ranch Hand

Joined: Jan 26, 2005
Posts: 76
posted
0
Quote
Hi,

How can I avoid the effects of SQL injection in my webapp. I am using servlets to develop my application. I am also using prepared statements. My query goes something like this:

Select * from tablename where column1 like '%" + Column1 + "%';

Can anybody please suggest how to modify my sql query to avoid sql injection effects.

Thanks.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 56185
    
  13

I like...
IntelliJ IDE jQuery Mac OSX
posted private message
0
Quote
This is much more of a JDBC question than one on servlets. I'll recommend that this be moved.

[Smart Questions] [JSP FAQ] [Books by Bear] [Bear's FrontMan] [About Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 56185
    
  13

I like...
IntelliJ IDE jQuery Mac OSX
posted private message
0
Quote
You say that you are using a prepared statement, and yet



you are not taking advantage of the parameterization.

Rather



and use the setString() method to set the value of the ?.
[ August 09, 2005: Message edited by: Bear Bibeault ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SQL Injection
 
Similar Threads
How to use the keyword for searching?
Error calling Stored Procedure "SELECT in a stored procedure must have INTO "
Preventing SQL Injection in Dynamic SQL
distinct column records
SQL Injection Attacks