jQuery in Action, 2nd edition*
The moose likes JDBC and the fly likes Filtering Data to prevent SQL Injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Filtering Data to prevent SQL Injection" Watch "Filtering Data to prevent SQL Injection" New topic
Author

Filtering Data to prevent SQL Injection

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

With respect to SQL Injection

SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters.

If there is no client side validation involved then what is the appropriate place to apply filtration ( I mean will this be at Presentation Tier or at DAO Tier)


Save India From Corruption - Anna Hazare.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Just use PreparedStatements.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you paul,
I have heard a lot in combination with SQLInjection and PreparedStatements , but can you please tell me how actually PreparedStatements actually filter ?
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2491
    
    8

PreparedStatement does not allow someone to alter your sql statement, because you BIND the parameter values, in stead of INSERTING them into the sql statement.

Take some time to go to the JavaRanch security FAQ. Look for "a couple of introductions to SQL injection" and follow the links.

Very often, someone uploads a nice cartoon about sql injection when it is mentioned in a post. Let's see if it happens in this post.


OCUP UML fundamental and ITIL foundation
youtube channel
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you Jan .

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you Jan .

Please tell me if SQL Injection will be possible if i use Statement rather than a PreparedStatement.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Yes, for the reasons already explained above.
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you very much Jan and Paul.
 
jQuery in Action, 2nd edition
 
subject: Filtering Data to prevent SQL Injection
 
Similar Threads
SQL Injection prevention
Does this sound believable?
avoid sql injection
PreparedStatement - to use or not to use
Using strings within strings to read vars?