Cheers,<br />Hemanth...<br />(When opportunity doesn't knock, build a door.)
-- Prepared statements are more secure because they use bind variables, which can prevent SQL injection attack.
The most common type of SQL injection attack is SQL manipulation. The attacker attempts to modify the SQL statement by adding elements to the WHERE clause or extending the SQL with the set operators like UNION, INTERSECT etc.
Reid - SCJP2 (April 2002)
No, that attack shouldn't work. It isn't a text substitution, it is a typed value substitution.
Strictly speaking, the attack isn't based on whether you use Statement or PreparedStatement, it is based on how you build the SQL string used by either of them. If you concatenate fragments of SQL together based on some incoming request, or if you always specify every possible column in the SQL statement, either way you leave yourself open to hackers submitting requests to do things an application wasn't otherwise intended to do.
Originally posted by R. M. Menon:
Sure you can use PreparedStatement and still not use bind variables but I am assuming we are not discussin that possibility here...
Reid - SCJP2 (April 2002)
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime. |