aspose file tools*
The moose likes JDBC and the fly likes Preventing SQL Injection in DAO Layer Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Preventing SQL Injection in DAO Layer" Watch "Preventing SQL Injection in DAO Layer" New topic
Author

Preventing SQL Injection in DAO Layer

Ravi Kiran Va
Ranch Hand

Joined: Apr 18, 2009
Posts: 2234

Assume that we have data inside the DTOObject


My question is how to check for things like 1='1' in the SQL ??

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??

Save India From Corruption - Anna Hazare.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30771
    
156

Ravi,
You don't want to screen for malicious characters. You want the driver to do it for you. If you use a SQL statement with binding variables as:
String sql = "select UNAME , PWD from LoginTable where uname=? and PWD=?"

and a PreparedStatement, the SQL is safe. Even if a user enters 1=1 for the uname or pwd, it will be treated as a value. Since the value doesn't match any field, the query returns zero records.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
 
subject: Preventing SQL Injection in DAO Layer