Mike Peters
Bill Karwin is the author of SQL Antipatterns: Avoiding the Pitfalls of Database Programming
[OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Bill Karwin is the author of SQL Antipatterns: Avoiding the Pitfalls of Database Programming
[OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Mike Peters
Mike Peters wrote:in what scenario, do you want a user to be able to alter a query component other than the parameters (except for a query tool)? In other words, when are PreparedStatement parameters not enough?
Mike Peters wrote:I wonder, in what scenario, do you want a user to be able to alter a query component other than the parameters (except for a query tool)?
Bill Karwin is the author of SQL Antipatterns: Avoiding the Pitfalls of Database Programming
[OCP 17 book] | [OCP 11 book] | [OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Bill Karwin wrote:
SELECT * FROM Products WHERE ...criteria... ORDER BY {$Column} {$AscOrDesc}
This is a pretty common pattern where you want the user's choice to determine the sort order and sort direction. For example on Amazon.com you can sort by average customer review, or by price low to high or by price high to low, etc.
Martin Vajsar wrote:
Bill Karwin wrote:
SELECT * FROM Products WHERE ...criteria... ORDER BY {$Column} {$AscOrDesc}
This is a pretty common pattern where you want the user's choice to determine the sort order and sort direction. For example on Amazon.com you can sort by average customer review, or by price low to high or by price high to low, etc.
However, in this case you probably don't put in the SQL text arbitrary strings typed by the user, but choose one of compile-time constants based on the user's selections. Therefore the sql injection shouldn't be an issue here and you don't haveto sanitize the inputs.
SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions
... I believe the best way to prevent SQL Injection attacks ... is by placing a WAF (web application firewall) in front of your servers.
Save India From Corruption - Anna Hazare.
How does that example demonstrate SQL injection? And how do you inject SQL via bind parameters?
Save India From Corruption - Anna Hazare.
I certainly use bind variable when possible. But, since I connect to a variety of databases (iSeries, Oracle, SQL 2000, MySQL), this is not always possible. Even with Oracle, I have had to form dynamic SQL statements because it complains I've tried to bind too many variables. Granted, this is the exception, but has occurred. And, with antiquated stuff like SQL 2000, the problem becomes even worse.
Ravi Kiran Pattu wrote:I mean to say that check for any thing like 1='1' in username and password .
-Abhishek
I came to this world on a Learner's License