you should escape your sql data values for mischieveous chars like single quotes etc.
>-----Original Message----- >From: Manuel Lenz [mailto:[EMAIL PROTECTED] >Sent: Tuesday, October 28, 2003 4:33 PM >To: Struts Users Mailing List >Subject: Antwort: [OT] Re: far reaching db question > > >How do preparedStatements handle single quotes and other injection >attacks? >I changed my db-connection from a normal statement-conding into prepared >statements. >But the error ist still the same. > >Here ist my test-coding: >Connection conn = null; > PreparedStatement prepare = null; > ServletContext context = as.getServletContext(); > boolean ret = false; > > try > { > DataSource ds = (DataSource) >context.getAttribute(Action.DATA_SOURCE_KEY); > > // Update Banf-Daten > String sql = "update tab_article set ..." > System.out.println (sql); > > conn = ds.getConnection(); > prepare = conn.prepareStatement(sql); > prepare.executeQuery(sql); > } > catch (Exception ex) > .... > >Do I need some extra coding for injection attacks, or is this coding >wrong? > >Regards, >Manuel > > > > > > >David Graham <[EMAIL PROTECTED]> >24.10.2003 17:47 >Bitte antworten an "Struts Users Mailing List" > > An: Struts Users Mailing List <[EMAIL PROTECTED]> > Kopie: > Thema: [OT] Re: far reaching db question > > >> I create DB-Inserts from my struts application. >> But If an user types in the sign ' any dynamicly created inserts fail. >> This ist because of the sql-syntax which divides the string which will >> be >> saved with '. >> >> For example: insert into table test (name, number) values ('mr burns', >> '01723256477'); >> >> How can I handle inserts in html-formulars which have the typed sign ' ? >> > >Always use PreparedStatements. They handle the ' for you and prevent >other SQL injection attacks. > >David > >> Greetings, >> Manuel >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > >__________________________________ >Do you Yahoo!? >The New Yahoo! Shopping - with improved product search >http://shopping.yahoo.com > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]