Prepared Statements with JDBC
To prevent SQL Injection Hacking with JDBC, you simply just need to use Prepared Statements, this is pretty easy to, just use a PreparedStatement object instead of a Statement Object, in your SQL replace your variables with
?'s, and use the
setInt, etc methods on the perpared statement object.
PreparedStatement st = (PreparedStatement)connection.createStatement(); st.setString(1, "Arg 1"); st.setString(2, "Arg 2"); String sql = "SELECT foo FROM bar WHERE a = ? AND b = ?";
One thing to note is that the indexes start at 1, not 0
Like this? Follow me ↯Tweet Follow @pfreitag
Prepared Statements with JDBC was first published on March 18, 2005.
If you like reading about jdbc, java, or databases then you might also like:
Want Security Advisories via Email?
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).