jQuery in Action, 2nd edition
The moose likes JDBC and Relational Databases and the fly likes how to avoid the SQL injection attack ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Elasticsearch in Action this week in the Big Data forum!
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "how to avoid the SQL injection attack ?" Watch "how to avoid the SQL injection attack ?" New topic
Author

how to avoid the SQL injection attack ?

Edward Chen
Ranch Hand

Joined: Dec 23, 2003
Posts: 798
In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?

Thanks
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 62139
    
  68

To begin with, be sure to use a PreparedStatement with parameters, rather than using string concatenation to build SQL statements.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Lukas Eder
Ranch Hand

Joined: Jul 22, 2013
Posts: 41
    
    4

Edward Chen wrote:In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?


The first rule of thumb is to never trust user input in your application. This is true regardless if you store data in a database or somewhere else, where content can be interpreted. With JDBC, you don't necessarily need a third-party library to help you there. The simplest way is to use a PreparedStatement along with bind values instead of inline string literals. If you're careful, you could also try to escape inline string literals as such:



Quoting single quote characters. However, there are a couple of edge-cases that you may not think of, so it might be better to use PreparedStatements anyway.

Some third-party libraries like jOOQ or JaQu, or even just JPA help you prevent SQL injection transparently. More insight can be found in this blog post that I've recently written:
http://blog.jooq.org/2012/07/29/database-abstraction-and-sql-injection

It compares various third-party libraries with respect to their helpfulness in preventing SQL injection.


When Java and SQL work together, great software can evolve. That's why I have created jOOQ. Follow me on blog.jooq.org
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to avoid the SQL injection attack ?