This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes JDBC and the fly likes SQL injection and HTML Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "SQL injection and HTML" Watch "SQL injection and HTML" New topic
Author

SQL injection and HTML

Avi Gafa
Greenhorn

Joined: Jul 24, 2008
Posts: 3
Hi All,
I have a text box(on a jsp page) which should enable a free txt input including an HTML tags.
Some background:
In my customer page, there is an empty <div> that shoud be filled dinamiclly by calling to my servlet.
my servlet should return a text that can be including an HTML tags and this text will be emmbeded in the div and will be formatted as a regular HTML.
in order to retrive this text, I'm giving my customer a text box where he can put his free text(again, including HTML tags) and I store it in the DB.
my problem is, how to give my customer the ability to put his free text with the HTML tags in the text box and in the DB and to avoid security issuse like SQL injection.

Thanks,
Avi
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30050
    
149

Avi,
If you use a PreparedStatement to update the database, it will protect you from SQL injection. For example:



This will automatically escape any of the HTML inside the "?".


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
Don't get me started about those stupid light bulbs.
 
subject: SQL injection and HTML
 
Similar Threads
Convert Html fields to Struts2 tags
Dynamic rendering of html content on jsf
Text box with HTML tags security issue
JSP <a href> tags breaks page functionality
dynamically adding textboxes