--- Manuel Lenz <[EMAIL PROTECTED]> wrote: > How do preparedStatements handle single quotes and other injection > attacks?
This is JDBC driver dependent. Each database might handle single quote escaping differently; however, doubling them with another single quote seems to be common. > I changed my db-connection from a normal statement-conding into prepared > > statements. > But the error ist still the same. > > Here ist my test-coding: > Connection conn = null; > PreparedStatement prepare = null; > ServletContext context = as.getServletContext(); > boolean ret = false; > > try > { > DataSource ds = (DataSource) > context.getAttribute(Action.DATA_SOURCE_KEY); > > // Update Banf-Daten > String sql = "update tab_article set ..." > System.out.println (sql); > > conn = ds.getConnection(); > prepare = conn.prepareStatement(sql); > prepare.executeQuery(sql); > } > catch (Exception ex) You should be catching SQLException here. Catching Exception is almost *always* wrong. You should also have a finally block that closes the connection. > .... > > Do I need some extra coding for injection attacks, or is this coding > wrong? No, the driver should handle this for you. You can test it by stringing together two SQL statements with a ; in between and see if both get executed. If the driver is doing its job, you'll get an SQLException. David > > Regards, > Manuel > > > > > > > David Graham <[EMAIL PROTECTED]> > 24.10.2003 17:47 > Bitte antworten an "Struts Users Mailing List" > > An: Struts Users Mailing List > <[EMAIL PROTECTED]> > Kopie: > Thema: [OT] Re: far reaching db question > > > > I create DB-Inserts from my struts application. > > But If an user types in the sign ' any dynamicly created inserts fail. > > This ist because of the sql-syntax which divides the string which will > > be > > saved with '. > > > > For example: insert into table test (name, number) values ('mr burns', > > '01723256477'); > > > > How can I handle inserts in html-formulars which have the typed sign ' > ? > > > > Always use PreparedStatements. They handle the ' for you and prevent > other SQL injection attacks. > > David > > > Greetings, > > Manuel > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]