File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes webapp sql injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "webapp sql injection" Watch "webapp sql injection" New topic

webapp sql injection

Peter Straw
Ranch Hand

Joined: Jan 08, 2002
Posts: 79
Is it true that using a PreparedStatement for a database query provides more security against malicious attacks than a Statement object would?
Many thanks,
Frank Carver

Joined: Jan 07, 1999
Posts: 6920
Not that I'm aware of. What sort of "malicious attacks" are you thinking of?

Read about me at ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
Peter Straw
Ranch Hand

Joined: Jan 08, 2002
Posts: 79
Like on a login page, if the user enters John as the username and
' or 1=1 --
as the password, then the query will be :
select count(*) from users where userName='john' and userPass=''
or 1=1 --'
which may just get them into the webapp illegally.
I agree. Here's the link:
subject: webapp sql injection
It's not a secret anymore!