aspose file tools*
The moose likes JDBC and the fly likes avoid sql injection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "avoid sql injection" Watch "avoid sql injection" New topic
Author

avoid sql injection

anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
what are the methods of avoiding sql injection?
Jan Cumps
Bartender

Joined: Dec 20, 2006
Posts: 2500
    
    8

Hi,

the most effective and easy method is to bind parameters to an sql statement, in stead of concatenating values into an sql string.
In JDBC, this is done using a PreparedStatement.


Wikipedia has an understandable explanation.


OCUP UML fundamental and ITIL foundation
youtube channel
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
i found stored procedure also a one way.is there aby other ways?
Scott Selikoff
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3707
    
    5

Not necessarily, SQL injection is about validating input parameters. For example, any SQL query that takes no input parameters is immune to SQL injection.


My Blog: Down Home Country Coding with Scott Selikoff
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
so how to validate the input parameter?
is there default in java or sql?

i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

You don't need to validate parameters if you use a PreparedStatement.


i found that using stored procedures and Hashing also can avoid the sql injection.Is it true?

Not sure what you mean by this. How would you use hashing to stop SQL injection?


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
i hear from someone.I can't guarntee about that?That's why put it hear?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

I can't think of a way of doing that. Do you have a link to where you read it?
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
read 5 th paragraph
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

I'm assuming you mean the "salted hash" mechanism for protecting data? This isn't really a SQL injection defence (that article, despite its title, is about more than just SQL injection), this is more an extra restriction on sensative data, and the paragraph you mention summarises it quite succinctly.
 
 
subject: avoid sql injection