This week's book giveaway is in the Design forum.
We're giving away four copies of Building Microservices and have Sam Newman on-line!
See this thread for details.
The moose likes JDBC and Relational Databases and the fly likes Filtering Data to prevent SQL Injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Building Microservices this week in the Design forum!
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "Filtering Data to prevent SQL Injection" Watch "Filtering Data to prevent SQL Injection" New topic
Author

Filtering Data to prevent SQL Injection

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

With respect to SQL Injection

SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters.

If there is no client side validation involved then what is the appropriate place to apply filtration ( I mean will this be at Presentation Tier or at DAO Tier)


Save India From Corruption - Anna Hazare.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Just use PreparedStatements.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you paul,
I have heard a lot in combination with SQLInjection and PreparedStatements , but can you please tell me how actually PreparedStatements actually filter ?
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2543
    
  10

PreparedStatement does not allow someone to alter your sql statement, because you BIND the parameter values, in stead of INSERTING them into the sql statement.

Take some time to go to the JavaRanch security FAQ. Look for "a couple of introductions to SQL injection" and follow the links.

Very often, someone uploads a nice cartoon about sql injection when it is mentioned in a post. Let's see if it happens in this post.


OCUP UML fundamental and ITIL foundation
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you Jan .

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you Jan .

Please tell me if SQL Injection will be possible if i use Statement rather than a PreparedStatement.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Yes, for the reasons already explained above.
Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Thank you very much Jan and Paul.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Filtering Data to prevent SQL Injection
 
It's not a secret anymore!