aspose file tools*
The moose likes JDBC and the fly likes Filtering Data to prevent SQL Injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Filtering Data to prevent SQL Injection" Watch "Filtering Data to prevent SQL Injection" New topic
Author

Filtering Data to prevent SQL Injection

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

With respect to SQL Injection

SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters.

If there is no client side validation involved then what is the appropriate place to apply filtration ( I mean will this be at Presentation Tier or at DAO Tier)


Save India From Corruption - Anna Hazare.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Just use PreparedStatements.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you paul,
I have heard a lot in combination with SQLInjection and PreparedStatements , but can you please tell me how actually PreparedStatements actually filter ?
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2495
    
    8

PreparedStatement does not allow someone to alter your sql statement, because you BIND the parameter values, in stead of INSERTING them into the sql statement.

Take some time to go to the JavaRanch security FAQ. Look for "a couple of introductions to SQL injection" and follow the links.

Very often, someone uploads a nice cartoon about sql injection when it is mentioned in a post. Let's see if it happens in this post.


OCUP UML fundamental and ITIL foundation
youtube channel
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you Jan .

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you Jan .

Please tell me if SQL Injection will be possible if i use Statement rather than a PreparedStatement.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Yes, for the reasons already explained above.
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you very much Jan and Paul.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Filtering Data to prevent SQL Injection