SQL injection vulnerabilities occur when you build SQL strings manually through string concatenation, like this:
String sqlStatement = "SELECT ID FROM MYTABLE WHERE TEXTFIELD LIKE '%" + queryFromUser + "%';"; The simplest way, IMO, to protect against SQL injection attacks is to not do this. Using JDBC's PreparedStatement, or any object-relational library will protect you from SQL injection by handling the concatenation for you, safely. If you're determined to do this yourself, you can look at commons-lang, which has some escaping utilities. http://commons.apache.org/lang/api-2.3/org/apache/commons/lang/StringEscapeUtils.html The problem with rejecting potentially SQL-busting user input is that SQL is valid to lots of user input. For example, this string will break a SQL statement unless properly escaped: "Macy's" And yet it's perfectly reasonable-looking user input, right? On 2 January 2013 10:20, John <j...@quivinco.com> wrote: > Hi, > > Has anyone any knowledge of this topic? I'd like to ensure that any of my > text input fields can block any use of SQL reserved words. Would a > validator be a suitable approach? > > happy new year, > John
