Two Laptop Bag*
The moose likes JDBC and the fly likes how to avoid the SQL injection attack ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "how to avoid the SQL injection attack ?" Watch "how to avoid the SQL injection attack ?" New topic
Author

how to avoid the SQL injection attack ?

Edward Chen
Ranch Hand

Joined: Dec 23, 2003
Posts: 798
In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?

Thanks
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61092
    
  66

To begin with, be sure to use a PreparedStatement with parameters, rather than using string concatenation to build SQL statements.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Lukas Eder
Ranch Hand

Joined: Jul 22, 2013
Posts: 41
    
    4

Edward Chen wrote:In a text box input in the JSP / Swing , how to avoid the SQL injection attack ? how can I convert all those SQL keywords to something else ? Do we have a third party library ?


The first rule of thumb is to never trust user input in your application. This is true regardless if you store data in a database or somewhere else, where content can be interpreted. With JDBC, you don't necessarily need a third-party library to help you there. The simplest way is to use a PreparedStatement along with bind values instead of inline string literals. If you're careful, you could also try to escape inline string literals as such:



Quoting single quote characters. However, there are a couple of edge-cases that you may not think of, so it might be better to use PreparedStatements anyway.

Some third-party libraries like jOOQ or JaQu, or even just JPA help you prevent SQL injection transparently. More insight can be found in this blog post that I've recently written:
http://blog.jooq.org/2012/07/29/database-abstraction-and-sql-injection

It compares various third-party libraries with respect to their helpfulness in preventing SQL injection.


When Java and SQL work together, great software can evolve. That's why I have created jOOQ. Follow me on blog.jooq.org
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how to avoid the SQL injection attack ?