Hi,
Has anyone any knowledge of this topic? I'd like to ensure that any of my text
input fields can block any use of SQL reserved words. Would a validator be a
suitable approach?
happy new year,
John
John - trying to protect against SQL injection by black listing possible
SQL reserved words is not a good approach for preventing sql injection. The
proper way to deal with that is to not use string concatenation (using the
content of your text field) for your queries, and use prepared statements
SQL injection vulnerabilities occur when you build SQL strings manually
through string concatenation, like this:
String sqlStatement = SELECT ID FROM MYTABLE WHERE TEXTFIELD LIKE '% +
queryFromUser + %';;
The simplest way, IMO, to protect against SQL injection attacks is to not
do this. Using