This week's book giveaway is in the Agile and other Processes forum. We're giving away four copies of The Mikado Method and have Ola Ellnestam and Daniel Brolund on-line! See this thread for details.
In my servlet i have a database insert code which depends on a request parameter. If I enter the " ' " character in the text box it results in SQLException because the string is terminated from that point. In order to allow the " ' " key what should i do? Should I need to block the key or replace it with " \' " character or is there any mechanism to handle it.
[ August 03, 2007: Message edited by: Dilshan Edirisuriya ]
[ August 03, 2007: Message edited by: Dilshan Edirisuriya ] [ August 03, 2007: Message edited by: Dilshan Edirisuriya ]
This means your code in insecure and open to SQL Injection (please look it up).
You should use a PreparedStatement at the back end rather than a Statement.
Stan James
(instanceof Sidekick)
Ranch Hand
Joined: Jan 29, 2003
Posts: 8791
posted
0
See also StringEscapeUtils for an approach that escapes those characters so they can't mess you up.
Are you familiar with SQL injection? Say you built a SQL string like:
sql = "SELECT * FROM USER WHERE USERID = '" + userid + "'"
and somebody entered a userid like:
bob';DELETE FROM USER WHERE USERID != '
Folks who know their way around databases can query the system tables, learn all your table and column names, execute any query they like.
A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Dilshan Edirisuriya
Ranch Hand
Joined: Apr 22, 2006
Posts: 299
posted
0
I have heard about SQL injection but i dont know how to get rid of that. Stan what method should i use in StringEscapeUtils class. Is that escapeSQL() ?
I havent used PreparedStatement at all in my code. I have used Statement object instead of that. I think it is hard to change the coding now because there are around 150 classes that use that. So wt should i do? Is it okay if i use StringEscapeUtils class to cope up with that.
I'm not familiar with that library but you will need to insure, somehow that, SQL code entered by a user can never be run in your statements.
In particular, you'll need to make sure that words like UPDATE, DELETE, INSERT, and SELECT are always escaped. [ August 07, 2007: Message edited by: Ben Souther ]
Sundaram Karthick
Greenhorn
Joined: Jun 26, 2007
Posts: 24
posted
0
go through this Preventing sql injection, Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver. Even from performance point of view prepared statments are faster than the ones the you use. Hope this helps
SCJP 1.5, SCWCD 1.4, SCBCD 5
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to
run our stuff on 16 servers instead of 3.
0
