• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Filtering Data to prevent SQL Injection

 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
With respect to SQL Injection

SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters.

If there is no client side validation involved then what is the appropriate place to apply filtration ( I mean will this be at Presentation Tier or at DAO Tier)
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just use PreparedStatements.
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you paul,
I have heard a lot in combination with SQLInjection and PreparedStatements , but can you please tell me how actually PreparedStatements actually filter ?
 
Jan Cumps
Bartender
Posts: 2586
11
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
PreparedStatement does not allow someone to alter your sql statement, because you BIND the parameter values, in stead of INSERTING them into the sql statement.

Take some time to go to the JavaRanch security FAQ. Look for "a couple of introductions to SQL injection" and follow the links.

Very often, someone uploads a nice cartoon about sql injection when it is mentioned in a post. Let's see if it happens in this post.
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Jan .

 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Jan .

Please tell me if SQL Injection will be possible if i use Statement rather than a PreparedStatement.

 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, for the reasons already explained above.
 
Ravi Kiran Va
Ranch Hand
Posts: 2234
Eclipse IDE Firefox Browser Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you very much Jan and Paul.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic