| Author |
Bulletproof string escaping
|
Mariano Lopez-Gappa
Greenhorn
Joined: Mar 28, 2009
Posts: 13
|
|
Is there any further escaping besides .replace("'", "''") needed when building a query with a string?
Ex:
I have read this way of building queries is not recommended, but for the application I'm building this isn't a priority right now. You may suggest so anyway.
Thanks!
|
 |
Akshat Dimri
Greenhorn
Joined: May 11, 2009
Posts: 1
|
|
|
I don't know about any other way ..but your way certainly helped me.
|
|
Paul Sturrock
Bartender
Joined: Apr 14, 2004
Posts: 10336
|
|
|
Just use a PreparedStatement. That way you don;t need to write any custom string escaping code.
|
JavaRanch FAQ HowToAskQuestionsOnJavaRanch
|
|
Tim McGuire
Ranch Hand
Joined: Apr 30, 2003
Posts: 819
|
|
as Paul said, Prepared Statements are the way to go.
this is from the Open Web Application Security Project web site:
The use of prepared statements (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.
and this is their example :
OWASP Sql Injection Prevention cheatsheet
|
|
Mariano Lopez-Gappa
Greenhorn
Joined: Mar 28, 2009
Posts: 13
|
|
Thanks again  I will use prepared statements from now on and I've bookmarked the cheat sheet as well.
|
|
 |
|
|
subject: Bulletproof string escaping
|
|
|
0
