aspose file tools*
The moose likes JDBC and the fly likes Bulletproof string escaping Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Bulletproof string escaping" Watch "Bulletproof string escaping" New topic
Author

Bulletproof string escaping

Mariano Lopez-Gappa
Greenhorn

Joined: Mar 28, 2009
Posts: 13
Is there any further escaping besides .replace("'", "''") needed when building a query with a string?

Ex:


I have read this way of building queries is not recommended, but for the application I'm building this isn't a priority right now. You may suggest so anyway.

Thanks!
Akshat Dimri
Greenhorn

Joined: May 11, 2009
Posts: 1
I don't know about any other way ..but your way certainly helped me.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Just use a PreparedStatement. That way you don;t need to write any custom string escaping code.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

as Paul said, Prepared Statements are the way to go.

this is from the Open Web Application Security Project web site:

The use of prepared statements (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.


and this is their example :

OWASP Sql Injection Prevention cheatsheet
Mariano Lopez-Gappa
Greenhorn

Joined: Mar 28, 2009
Posts: 13
Thanks again I will use prepared statements from now on and I've bookmarked the cheat sheet as well.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Bulletproof string escaping
 
Similar Threads
How exactly Constructor invoke...
single quote double quotes problem ,,ASAP
Regex for backslash
Superclass Constructor
Error in JSP page: org.apache.jasper.JasperException