Friday, March 11, 2011

Prevent SQL Injection Attacks in Java

To prevent hackers from exploiting your Java website:

NEVER do this (manually concatenate SQL):

String sql = "select 1 from user where userId='" + userId + "' and password='" + password + "'";

Instead do this (use prepared statements):

String sql = "select 1 from user where userId = ? and password = ?";
PreparedStatement prepStmt = con.prepareStatement(sql);
prepStmt.setString(1, userId);
prepStmt.setString(2, password);

When you use prepared statements it passes the parameters directly to the database independent of the SQL statement so that the hacker never has a chance to alter them.

Posted by at
Labels: ,

3 comments:

  1. AnonymousJanuary 27, 2013 at 8:05 AM

    PreparedStatement doesn't escape characters. It doesn't give attacker any chance to alternate your SQL statement.

    ReplyDelete
  2. CraigJanuary 31, 2013 at 1:55 PM

    Right you are. I looked it up and in most databases the parameters are passed in directly to the database unaltered, which never gives the hacker a chance to alter them. It seems that a few databases actually do escape the parameters but these are in the minority.

    ReplyDelete
  3. CraigJanuary 31, 2013 at 1:57 PM

    I've corrected my post.

    ReplyDelete

Subscribe to: Post Comments (Atom)