Preventing SQL Injection in JDBC without using Prepared Statements

java jdbc prepared-statement sql-injection
11,904

Solution 1

The ESAPI library has procedures for escaping input for SQL and for developing your own db specific encoders if necessary.

Solution 2

Check out JTDS FAQ - I'm pretty confident that with a combination of properties prepareSQL and maxStatements you could go there (or "could have gone" as you probably completed that task years ago :-) )

Share:
11,904
David Webb
Author by

David Webb

Updated on June 04, 2022

Comments

  • David Webb
    David Webb almost 2 years

    I am aware that using Prepared Statements is the best way to protect against SQL Injection (and syntax errors due to unescaped characters in unchecked input).

    My current situation is that I am writing some Java code to move data from one third party application to another. The destination application uses a proprietary version of Sybase and so whilst I do have the JTDS JDBC driver PreparedStatement fails, as the driver uses temporary stored procedures which aren't supported in this particular flavour of the database. So I only have Statement to work with and I have no control over the user input as it is coming from another application.

    There is this similar question but that is focused on fixing the problem where you have a parameter such as a table which cannot be handled via a Prepared Statement. My case is different and hopefully simpler, since I have straightforward SQL statements. I would like to know if there is a best practice for replicating something like the following without using PreparedStatement:

    PreparedStatement statement = connection.prepareStatement("UPDATE mytable SET value=? WHERE id=?");
statement.setInt(1, getID());
statement.setString(2,userInput);
statement.executeUpdate();

    So I guess the problem is how can I sanitise the user input reliably? I can try to do that myself from scratch but this seems like a bad idea as there is likely to be at least one edge case I'd miss, so I was hoping there was a library out there that would do that for me, but I haven't been able to find one so far.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Does the preparedStatement avoid SQL injection?
How does a PreparedStatement avoid or prevent SQL injection?
What to use: executeUpdate() or execute()?
com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1
Inserting custom date and current time into Oracle database using string variables
Rollback batch execution when using jdbc with autocommit=true
Do I get a memory leak by not closing my JDBC PreparedStatements?
How do I make a prepared statement?
Creation of a prepared statement inside a loop
How does Java's PreparedStatement work?