Geek Answers Handbook

How to avoid a string for an SQL query (without a prepared statement)

I know the power of the prepared statement, but I cannot use it here. I am sending sql queries to an external server via HTTP, not through JDBC. How to avoid string for SQL query? Is there a way to do this through JDBC? or should I use a special class / function for this?

ps I also have a connection to another database, so I can use the JDBC functions.

+4
source share
4 answers

It sounds very uncertain. If you send SQL queries via HTTP, you can get a trade-off between man-in-the-middle attacks (among others). In addition, any mid-level programmer can try to execute malicious SQL against your database if he sees that you are sending SQL queries. They can create users, change passwords, extract confidential data ... Are you sure this is the best way to approach this?

+1
source

I know that references really don't give the right answers, but this SQL Injection Prevention Cheat Sheet is a great read (and too big to post on here), if you cannot use prepared statements - it gives you many examples of how to prevent SQL Injection

+1
source

Read it that has this:

static public String escapeLine(String s) { String retvalue = s; if (s.indexOf ("'") != -1 ) { StringBuffer hold = new StringBuffer(); char c; for(int i=0; i < s.length(); i++ ) { if ((c=s.charAt(i)) == '\'' ) { hold.append ("''"); }else { hold.append(c); } } retvalue = hold.toString(); } return retvalue; }
+1
source

Despite the fact that others have already said that this is not a good idea. You can simply "mimic" the behavior of the PreparedStatement through your HTTP call.

Just send some parameters to the call, for example

 /sqlInterperter.do?sql=somesql_with_params&param1=...&param2=...

At the very least, you can reuse prepared statements on the receiving side.

(However, anyone can send you any statements! Best of all: don't do this)

+1
source

More articles:


All Articles