SQL injection vulnerabilities occur when you build SQL strings manually
through string concatenation, like this:
String sqlStatement = SELECT ID FROM MYTABLE WHERE TEXTFIELD LIKE '% +
queryFromUser + %';;
The simplest way, IMO, to protect against SQL injection attacks is to not
do this. Using JDBC's PreparedStatement, or any object-relational library
will protect you from SQL injection by handling the concatenation for you,
safely. If you're determined to do this yourself, you can look at
commons-lang, which has some escaping utilities.
http://commons.apache.org/lang/api-2.3/org/apache/commons/lang/StringEscapeUtils.html
The problem with rejecting potentially SQL-busting user input is that SQL
is valid to lots of user input. For example, this string will break a SQL
statement unless properly escaped:
Macy's
And yet it's perfectly reasonable-looking user input, right?
On 2 January 2013 10:20, John j...@quivinco.com wrote:
Hi,
Has anyone any knowledge of this topic? I'd like to ensure that any of my
text input fields can block any use of SQL reserved words. Would a
validator be a suitable approach?
happy new year,
John
