× {{alert.msg}} Never ask again
Get notified about new tutorials RECEIVE NEW TUTORIALS
Francis Galiegue
Apr 23, 2015
<pre><code>ResultSet user = stat.executeQuery( "SELECT * FROM USER WHERE log_id='" + username + "';" ); </code></pre> <p>This is subject to SQL injection.</p> <p>Imagine what happens if <code>username</code> has this value:</p> <pre><code>John'; delete from user where 'a' = 'a </code></pre> <p>And yes, a s*load of Java JDBC SQL tutorials get this wrong. Basically, always use <a href="http://docs.oracle.com/javase/8/docs/api/java/sql/PreparedStatement.html" rel="nofollow"><code>PreparedStatement</code></a>s.</p> <p>Not only because this makes it safe ot use even if <code>username</code> has malicious values as the above, but also, and more importantly, because the same query can be reused by the RDBMS engine for all further invocations.</p> <p>In short, there is no reason at all not to use them. And tutorials demonstrating SQL using string concatenation should die a painful, SQL injection death.</p> <p>This tip was originally posted on <a href="http://stackoverflow.com/questions/29758929/JAVA%20-%20Possible%20SQL%20Injection/29759000">Stack Overflow</a>.</p>
comments powered by Disqus