Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Bulletproof string escaping

 
Mariano Lopez-Gappa
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there any further escaping besides .replace("'", "''") needed when building a query with a string?

Ex:


I have read this way of building queries is not recommended, but for the application I'm building this isn't a priority right now. You may suggest so anyway.

Thanks!
 
Akshat Dimri
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't know about any other way ..but your way certainly helped me.
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just use a PreparedStatement. That way you don;t need to write any custom string escaping code.
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE Tomcat Server VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
as Paul said, Prepared Statements are the way to go.

this is from the Open Web Application Security Project web site:

The use of prepared statements (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.


and this is their example :

OWASP Sql Injection Prevention cheatsheet
 
Mariano Lopez-Gappa
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks again I will use prepared statements from now on and I've bookmarked the cheat sheet as well.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic