Does the preparedStatement avoid SQL injection? [duplicate]

by

Using string concatenation for constructing your query from arbitrary input will not make PreparedStatement safe. Take a look at this example:

preparedStatement = "SELECT * FROM users WHERE name="" + userName + "";";

If somebody puts

' or '1'='1

as userName, your PreparedStatement will be vulnerable to SQL injection, since that query will be executed on database as

SELECT * FROM users WHERE name="" OR '1'='1';

So, if you use

preparedStatement = "SELECT * FROM users WHERE name = ?";
preparedStatement.setString(1, userName);

you will be safe.

Some of this code taken from this Wikipedia article.

More Related Contents:

  1. How does a PreparedStatement avoid or prevent SQL injection?
  2. PreparedStatement IN clause alternatives?
  3. PreparedStatement with list of parameters in a IN clause [duplicate]
  4. Using setDate in PreparedStatement
  5. Java: Insert multiple rows into MySQL with PreparedStatement
  6. How can I get the SQL of a PreparedStatement?
  7. Using “like” wildcard in prepared statement
  8. Get query from java.sql.PreparedStatement [duplicate]
  9. Variable column names using prepared statements
  10. Reusing a PreparedStatement multiple times
  11. Where’s my invalid character (ORA-00911)
  12. Getting java.sql.SQLException: Operation not allowed after ResultSet closed
  13. right syntax to use near ‘?’
  14. How does Java’s PreparedStatement work?
  15. mysql prepared statement error: MySQLSyntaxErrorException
  16. PreparedStatement setNull(..)
  17. Oracle’s RETURNING INTO usage in Java (JDBC, Prepared Statement)
  18. How to use prepared statement for select query in Java?
  19. JDBC Prepared Statement . setDate(….) doesn’t save the time, just the date.. How can I save the time as well?
  20. PreparedStatement and setTimestamp in oracle jdbc
  21. com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
  22. How to establish a connection pool in JDBC?
  23. java.sql.SQLException: – ORA-01000: maximum open cursors exceeded
  24. Cannot issue data manipulation statements with executeQuery()
  25. IO Error: The Network Adapter could not establish the connection
  26. Java JDBC Access denied for user [closed]
  27. Why does autoReconnect=true not seem to work?
  28. runtime error: java.lang.ClassNotFoundException: com.mysql.jdbc.Driver
  29. How do I use PostgreSQL JSON(B) operators containing a question mark “?” via JDBC
  30. Postgres UUID JDBC not working

Leave a Comment