How should I sanitize database input in Java?

java mysql security sql-injection
17,503

Solution 1

You definitely want to use PreparedStatements. They are convenient. Here is an example.

Solution 2

Use PreparedStatement instead of Statement

Solution 3

Normally, you shouldn't create a query concatenating input, but using PreparedStatement instead.

That lets you specify in which places you'll be setting your parameters inside your query, so Java will take care of sanitizing all inputs for you.

Solution 4

PreparedStatement? Yes, absolutely. But I think there's one more step: validation of input from UI and binding to objects prior to getting close to the database.

I can see where binding a String in PreparedStatement might still leave you vulnerable to a SQL injection attack:

String userInput = "Bob; DELETE FROM FOO";
String query = "SELECT * FROM FOO WHERE NAME = ?";

PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, userInput);
ps.executeQuery();

I've gotta admit that I haven't tried it myself, but if this is remotely possible I'd say PreparedStatement is necessary but not sufficient. Validating and binding on the server side is key.

I'd recommend doing it with Spring's binding API.

Solution 5

Your user input would actually have to be "Bob'; delete from foo; select '" (or something like that) so the implicit quotes added by the prepared statement would be closed:

SELECT * FROM FOO WHERE NAME = 'Bob'; delete from foo; select ''

but if you do that the prepared statement code will quote your quote so you get an actual query of

SELECT * FROM FOO WHERE NAME = 'Bob''; delete from foo; select '''

and your name would be stored as "Bob', delete from foo; select '" instead of running multiple queries.

Share:
17,503
Benjamin Confino
Author by

Benjamin Confino

Updated on June 04, 2022

Comments

  • Benjamin Confino
    Benjamin Confino almost 2 years

    Could someone please point me to a good beginner guide on safely running SQL queries formed partly from user input? I'm using Java, but a language neutral guide is fine too.

    The desired behaviour is that if someone types into the GUI something like

    very nice;) DROP TABLE FOO;

    The database should treat it as a literal string and store it safely without dropping any tables.

  • user2245201
    user2245201 about 15 years
    This is exactly the kind of attack that prepared statements are meant to protect against. It will escape the ;.
  • Brett
    Brett about 15 years
    Technically the PreparedStatement interface does not guarantee it. Although if your driver does something different, find a new vendor.
  • Bill Karwin
    Bill Karwin about 15 years
    @duffymo: Of course data validation is a good idea, both for security and for application logic. But server-side prepared statements should keep parameter values separate from the SQL syntax throughout the query execution. They are never interpolated into the query, so no escaping is necessary.
  • duffymo
    duffymo about 15 years
    "should" - there's the key word.
  • user9920500
    user9920500 about 4 years
    But prepared statements have inconvenience w.r.t to IN clause/ dynamically appending AND conditions based on availability of Input, ORDER BY clause etc, which might lead to performance drawbacks / code readability issues. Is there an alternative for that ?
  • duffymo
    duffymo about 4 years
    None that I know of. I doubt that your performance concerns are measurable. This answer is 11 years old. Ask a new question if you must. Your comment isn't helpful.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How secure is laravel 5.1?
what's the meaning of 'admin' OR 1=1 -- '
Which characters are actually capable of causing SQL injection in MySQL?
How can I protect MySQL username and password from decompiling?
How can I prevent SQL injection in PHP?
SQL injection that gets around mysql_real_escape_string()
Is "mysqli_real_escape_string" enough to avoid SQL injection or other SQL attacks?
Java equivalent for PHP's mysql_real_escape_string()
Why is using a mysql prepared statement more secure than using the common escape functions?
how safe are PDO prepared statements