This week's giveaway is in the Spring forum.
We're giving away four copies of Learn Spring Security (video course) and have Eugen Paraschiv on-line!
See this thread for details.
Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SQL Injection

 
ford Darcy Jr
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

How can I avoid the effects of SQL injection in my webapp. I am using servlets to develop my application. I am also using prepared statements. My query goes something like this:

Select * from tablename where column1 like '%" + Column1 + "%';

Can anybody please suggest how to modify my sql query to avoid sql injection effects.

Thanks.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64606
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is much more of a JDBC question than one on servlets. I'll recommend that this be moved.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64606
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You say that you are using a prepared statement, and yet



you are not taking advantage of the parameterization.

Rather



and use the setString() method to set the value of the ?.
[ August 09, 2005: Message edited by: Bear Bibeault ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic