Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

webapp sql injection

 
Peter Straw
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
Is it true that using a PreparedStatement for a database query provides more security against malicious attacks than a Statement object would?
Many thanks,
Peter
 
Frank Carver
Sheriff
Posts: 6920
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not that I'm aware of. What sort of "malicious attacks" are you thinking of?
 
Peter Straw
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Like on a login page, if the user enters John as the username and
' or 1=1 --
as the password, then the query will be :
select count(*) from users where userName='john' and userPass=''
or 1=1 --'
which may just get them into the webapp illegally.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic