jQuery in Action, 2nd edition*
The moose likes JDBC and the fly likes Preventing SQL Injection in DAO Layer Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Preventing SQL Injection in DAO Layer" Watch "Preventing SQL Injection in DAO Layer" New topic

Preventing SQL Injection in DAO Layer

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Assume that we have data inside the DTOObject

My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??

Save India From Corruption - Anna Hazare.
Jeanne Boyarsky
internet detective

Joined: May 26, 2003
Posts: 30116

You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.

[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
I agree. Here's the link: http://aspose.com/file-tools
subject: Preventing SQL Injection in DAO Layer
Similar Threads
Problem in returning the username
how to prevent sql injection
Test cases for Action Class
SQL injection?
how to keep register page data if register fails