Does the preparedStatement avoid SQL injection?

java jdbc prepared-statement sql-injection
33,201

Solution 1

Using string concatenation for constructing your query from arbitrary input will not make PreparedStatement safe. Take a look at this example:

preparedStatement = "SELECT * FROM users WHERE name = '" + userName + "';";

If somebody puts

' or '1'='1

as userName, your PreparedStatement will be vulnerable to SQL injection, since that query will be executed on database as

SELECT * FROM users WHERE name = '' OR '1'='1';

So, if you use

preparedStatement = "SELECT * FROM users WHERE name = ?";
preparedStatement.setString(1, userName);

you will be safe.

Some of this code taken from this Wikipedia article.

Solution 2

The prepared statement, if used properly, does protect against SQL injection. But please post a code example to your question, so we can see if you are using it properly.

Solution 3

Well simply using PreparedStatement doesn't make you safe. You have to use parameters in your SQL query which is possible with PreparedStatement. Look here for more information.

Solution 4

The PreparedStatement alone does not help you if you are still concatenating Strings.

For instance, one rogue attacker can still do the following:

  • call a sleep function so that all your database connections will be busy, therefore making your application unavailable
  • extracting sensitive data from the DB
  • bypassing the user authentication

And it's not just SQL that can b affected. Even JPQL can be compromised if you are not using bind parameters.

Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose:

Share:
33,201
Mohamed Saligh
Author by

Mohamed Saligh

Updated on January 22, 2021

Comments

  • Mohamed Saligh
    Mohamed Saligh over 3 years

    I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations.

    Is the preparedStatements safe? and moreover will there be any problem with this statement too?

  • Mohamed Saligh
    Mohamed Saligh over 13 years
    Does the setString make any difference? what it actually does? Even thats going to substitute the string inplace. What different it makes?
  • darioo
    darioo over 13 years
    @Mohamed: it makes a difference. The query "SELECT * FROM users WHERE name = ?" will be sent to the database where it's compiled and then userName from setString will be substituted. If the database sees an illegal value, it will throw an error. So, ' or '1'='1 will be treated as a whole string, and not as a statement involving operators or and =. The database will see it as a string with value "' or '1'='1".

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Preventing SQL Injection in JDBC without using Prepared Statements
How does a PreparedStatement avoid or prevent SQL injection?
com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1
What to use: executeUpdate() or execute()?
Inserting custom date and current time into Oracle database using string variables
Rollback batch execution when using jdbc with autocommit=true
Do I get a memory leak by not closing my JDBC PreparedStatements?
How do I make a prepared statement?
Creation of a prepared statement inside a loop
How does Java's PreparedStatement work?