The moose likes JDBC and Relational Databases and the fly likes Preventing SQL Injection in DAO Layer Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "Preventing SQL Injection in DAO Layer" Watch "Preventing SQL Injection in DAO Layer" New topic

Preventing SQL Injection in DAO Layer

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Assume that we have data inside the DTOObject

My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??

Save India From Corruption - Anna Hazare.
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 33102

You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
I agree. Here's the link:
subject: Preventing SQL Injection in DAO Layer
It's not a secret anymore!