Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Avoiding SQL Injection

I want to avoid SQL Injections in my Webapp. It's Java based.

Are PreparedStatements enough?

Do i have to filter out the ' and "? Are there already solutions for this in Java?

like image 823
krackmoe Avatar asked Dec 16 '22 12:12

krackmoe


1 Answers

My gut response to the question in your second paragraph is that it's usually a bad idea to consider a single aspect "enough" for this sort of issue - at least if you do this to the point that you stop thinking about the principles involved.

Using PreparedStatements does go a long way to stopping SQL injection, just like using slapping down synchronized everywhere goes a long way to stopping data races. And in many individual situations they'll be entirely sufficient. But in both cases they're not magic bullets - you need to be aware of the reasons you're using them, and when and where they're insufficient. For example, if you think PreparedStatements are a magic wrapper that prevents SQL injection, you'll be very disappointed the first time you need to create a dynamic statement (as opposed to merely a parameterised one) based on user input.

Thus the thing that's "enough", is education. Understand how and why the threat works; once you grok that, you'll be able to take the appropriate actions to a given situation (which sometimes is just using a PreparedStatement, but not always). I'm not aware of any particularly good resources on SQL injection though (above and beyond what you can get from Google), so hopefully other answers can point you to the One True Tutorial!

like image 70
Andrzej Doyle Avatar answered Dec 19 '22 02:12

Andrzej Doyle