Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I sanitize database input in Java?

Could someone please point me to a good beginner guide on safely running SQL queries formed partly from user input? I'm using Java, but a language neutral guide is fine too.

The desired behaviour is that if someone types into the GUI something like

very nice;) DROP TABLE FOO;

The database should treat it as a literal string and store it safely without dropping any tables.

like image 988
Benjamin Confino Avatar asked Mar 26 '09 22:03

Benjamin Confino


People also ask

Should you sanitize user input?

User input should always be treated as malicious before making it down into lower layers of your application. Always handle sanitizing input as soon as possible and should not for any reason be stored in your database before checking for malicious intent.

What does it mean to sanitize database inputs?

Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and strings to prevent the injection of harmful codes into the system.


2 Answers

You definitely want to use PreparedStatements. They are convenient. Here is an example.

like image 128
Josh Stodola Avatar answered Sep 18 '22 14:09

Josh Stodola


Use PreparedStatement instead of Statement

like image 25
Geo Avatar answered Sep 16 '22 14:09

Geo