Avoid SQL injection

Question

Avoid SQL injection

I want to avoid SQL injection in my webapp. It is based on Java.

Are there enough prepared states?

Do I need to filter out "and"? Are there already solutions for this in Java?

+4

java security sql-injection

krackmoe Jul 08 '11 at 7:51

source share

4 answers

Andrzej doyle · Answer 1 · 2011-07-08T08:05:42+0000

The answer of my answer to the question in the second paragraph is that it is usually a bad idea to consider one aspect “sufficient” for such problems - at least if you do it to such an extent that you stop thinking about the principles of participation.

Using PreparedStatements makes a big way to stop SQL injection, just like using slapping down synchronized around the world is a long way to stop data races. And in many individual situations, they will be enough. But in both cases they are not magic bullets - you need to know the reasons why you use them, and when and where they are not enough. For example, if you think PreparedStatements is a magical wrapper that prevents SQL injection, you will be very disappointed the first time you need to create a dynamic statement (as opposed to just parameterized) based on user input.

So the thing that is “enough” is education. Understand how and why the threat works; as soon as you feel this, you will be able to take appropriate action for the situation (which sometimes just uses PreparedStatement, but not always). I don’t know about any particularly good resources for SQL injection (above and above what you can get from Google), so hopefully other answers might point to One True Tutorial!

Tomasz Nurkiewicz · Answer 2 · 2011-07-08T07:58:22+0000

Just never create your SQL queries manually by concatenating strings, always use PreparedStatement and parameterize it with ? wildcards. The JDBC driver takes care of the escaping, so you don’t have to do it yourself.

Shielding , on the other hand, is difficult . You would be surprised at how many ways to work with your screening algorithms. The JDBC driver will do the job correctly.

Shervin asgari · Answer 3 · 2011-07-08T08:01:03+0000

Although prepared statements help protect against SQL Injection, there is scope for SQL Injection attacks through inappropriate use of prepared statements. The following example explains a scenario where the input variables are passed directly to the prepared expression and thereby pave the way for SQL Injection attacks.

Example:

 String strUserName = request.getParameter("Txt_UserName"); PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");

Further information on preventing SQL injection is here .

OWASP is a great place for any security related to software development. They have java libraries that can be used to prevent XSS and SQL injections.

They also have a webapp, which is very unsafe that you can try to hack, and thus learn not to do it.

home · Answer 4 · 2011-07-08T07:59:17+0000

Prepared statements may be sufficient. If you use prepared statements, you still need to take care of creating statements using only wildcards. In other words, you can use prepared statements incorrectly. You do not need to filter out any parameters to avoid SQL injection. However, you may need to filter out certain values to avoid website-based attacks (such as XSS), depending on your environment and area.

Avoid SQL injection

More articles: