Could someone please point me to a good beginner guide on safely running SQL queries formed partly from user input? I'm using Java, but a language neutral guide is fine too.
The desired behaviour is that if someone types into the GUI something like
very nice;) DROP TABLE FOO;
The database should treat it as a literal string and store it safely without dropping any tables.
User input should always be treated as malicious before making it down into lower layers of your application. Always handle sanitizing input as soon as possible and should not for any reason be stored in your database before checking for malicious intent.
Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and strings to prevent the injection of harmful codes into the system.
You definitely want to use PreparedStatements. They are convenient. Here is an example.
Use PreparedStatement instead of Statement
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With