It's not a secret anymore!
The moose likes JDBC and Relational Databases and the fly likes Bulletproof string escaping Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "Bulletproof string escaping" Watch "Bulletproof string escaping" New topic

Bulletproof string escaping

Mariano Lopez-Gappa

Joined: Mar 28, 2009
Posts: 13
Is there any further escaping besides .replace("'", "''") needed when building a query with a string?


I have read this way of building queries is not recommended, but for the application I'm building this isn't a priority right now. You may suggest so anyway.

Akshat Dimri

Joined: May 11, 2009
Posts: 1
I don't know about any other way ..but your way certainly helped me.
Paul Sturrock

Joined: Apr 14, 2004
Posts: 10336

Just use a PreparedStatement. That way you don;t need to write any custom string escaping code.

JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Tim McGuire
Ranch Hand

Joined: Apr 30, 2003
Posts: 820

as Paul said, Prepared Statements are the way to go.

this is from the Open Web Application Security Project web site:

The use of prepared statements (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.

and this is their example :

OWASP Sql Injection Prevention cheatsheet
Mariano Lopez-Gappa

Joined: Mar 28, 2009
Posts: 13
Thanks again I will use prepared statements from now on and I've bookmarked the cheat sheet as well.
I agree. Here's the link:
subject: Bulletproof string escaping
It's not a secret anymore!