aspose file tools*
The moose likes JDBC and the fly likes Preventing SQL Injection in DAO Layer Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Preventing SQL Injection in DAO Layer" Watch "Preventing SQL Injection in DAO Layer" New topic
Author

Preventing SQL Injection in DAO Layer

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Assume that we have data inside the DTOObject


My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??

Save India From Corruption - Anna Hazare.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29287
    
140

Ravi,
You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
wood burning stoves
 
subject: Preventing SQL Injection in DAO Layer
 
Similar Threads
Problem in returning the username
SQL injection?
how to keep register page data if register fails
Test cases for Action Class
how to prevent sql injection