Antwort: RE: Antwort: [OT] Re: far reaching db question

Tue, 28 Oct 2003 05:15:08 -0800 

How can I do that?






"Navjot Singh" <[EMAIL PROTECTED]>
28.10.2003 12:32
Bitte antworten an "Struts Users Mailing List"
 
        An:     "Struts Users Mailing List" 
<[EMAIL PROTECTED]>
        Kopie: 
        Thema:  RE: Antwort: [OT] Re: far reaching db question


you should escape your sql data values for mischieveous chars like single
quotes etc.


>-----Original Message-----
>From: Manuel Lenz [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, October 28, 2003 4:33 PM
>To: Struts Users Mailing List
>Subject: Antwort: [OT] Re: far reaching db question
>
>
>How do preparedStatements handle single quotes and other injection
>attacks?
>I changed my db-connection from a normal statement-conding into prepared
>statements.
>But the error ist still the same.
>
>Here ist my test-coding:
>Connection conn = null;
>                PreparedStatement prepare = null;
>                ServletContext context = as.getServletContext();
>                boolean ret = false;
>
>                try
>                {
>                        DataSource ds = (DataSource)
>context.getAttribute(Action.DATA_SOURCE_KEY);
>
>                        // Update Banf-Daten
>                        String sql = "update tab_article set ..."
>                        System.out.println (sql);
>
>                        conn = ds.getConnection();
>                        prepare = conn.prepareStatement(sql);
>                        prepare.executeQuery(sql);
>                }
>                catch (Exception ex)
>                ....
>
>Do I need some extra coding for injection attacks, or is this coding
>wrong?
>
>Regards,
>Manuel
>
>
>
>
>
>
>David Graham <[EMAIL PROTECTED]>
>24.10.2003 17:47
>Bitte antworten an "Struts Users Mailing List"
>
>        An:     Struts Users Mailing List 
<[EMAIL PROTECTED]>
>        Kopie:
>        Thema:  [OT] Re: far reaching db question
>
>
>> I create DB-Inserts from my struts application.
>> But If an user types in the sign ' any dynamicly created inserts fail.
>> This ist because of the sql-syntax which divides the string which will
>> be
>> saved with '.
>>
>> For example: insert into table test (name, number) values ('mr burns',
>> '01723256477');
>>
>> How can I handle inserts in html-formulars which have the typed sign ' 
?
>>
>
>Always use PreparedStatements.  They handle the ' for you and prevent
>other SQL injection attacks.
>
>David
>
>> Greetings,
>> Manuel
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to