Edward Chen wrote:In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?
The first rule of thumb is to never trust user input in your application. This is true regardless if you store data in a database or somewhere else, where content can be interpreted. With JDBC, you don't necessarily need a third-party library to help you there. The simplest way is to use a PreparedStatement along with bind values instead of inline string literals. If you're careful, you could also try to escape inline string literals as such:
Quoting single quote characters. However, there are a couple of edge-cases that you may not think of, so it might be better to use PreparedStatements anyway.