--- Manuel Lenz <[EMAIL PROTECTED]> wrote:
> How do preparedStatements handle single quotes and other injection
> attacks?
This is JDBC driver dependent. Each database might handle single quote
escaping differently; however, doubling them with another single quote
seems to be common.
> I changed my db-connection from a normal statement-conding into prepared
>
> statements.
> But the error ist still the same.
>
> Here ist my test-coding:
> Connection conn = null;
> PreparedStatement prepare = null;
> ServletContext context = as.getServletContext();
> boolean ret = false;
>
> try
> {
> DataSource ds = (DataSource)
> context.getAttribute(Action.DATA_SOURCE_KEY);
>
> // Update Banf-Daten
> String sql = "update tab_article set ..."
> System.out.println (sql);
>
> conn = ds.getConnection();
> prepare = conn.prepareStatement(sql);
> prepare.executeQuery(sql);
> }
> catch (Exception ex)
You should be catching SQLException here. Catching Exception is almost
*always* wrong. You should also have a finally block that closes the
connection.
> ....
>
> Do I need some extra coding for injection attacks, or is this coding
> wrong?
No, the driver should handle this for you. You can test it by stringing
together two SQL statements with a ; in between and see if both get
executed. If the driver is doing its job, you'll get an SQLException.
David
>
> Regards,
> Manuel
>
>
>
>
>
>
> David Graham <[EMAIL PROTECTED]>
> 24.10.2003 17:47
> Bitte antworten an "Struts Users Mailing List"
>
> An: Struts Users Mailing List
> <[EMAIL PROTECTED]>
> Kopie:
> Thema: [OT] Re: far reaching db question
>
>
> > I create DB-Inserts from my struts application.
> > But If an user types in the sign ' any dynamicly created inserts fail.
> > This ist because of the sql-syntax which divides the string which will
> > be
> > saved with '.
> >
> > For example: insert into table test (name, number) values ('mr burns',
> > '01723256477');
> >
> > How can I handle inserts in html-formulars which have the typed sign '
> ?
> >
>
> Always use PreparedStatements. They handle the ' for you and prevent
> other SQL injection attacks.
>
> David
>
> > Greetings,
> > Manuel
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
