aspose file tools
The moose likes JDBC and the fly likes Preventing SQL Injection in DAO Layer Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Databases » JDBC
Reply Bookmark "Preventing SQL Injection in DAO Layer" Watch "Preventing SQL Injection in DAO Layer" New topic
Author

Preventing SQL Injection in DAO Layer

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

I like...
Eclipse IDE Firefox Browser Redhat
posted private message
0
Quote
Assume that we have data inside the DTOObject


My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??
Save India From Corruption - Anna Hazare.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 26184
    
  66

I like...
Eclipse IDE Java VI Editor
posted private message
2
Quote
Ravi,
You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.

[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: Preventing SQL Injection in DAO Layer
 
Similar Threads
SQL injection?
how to keep register page data if register fails
Problem in returning the username
Test cases for Action Class
how to prevent sql injection