How does a PreparedStatement avoid or prevent SQL injection?

by

Consider two ways of doing the same thing:

PreparedStatement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')");
stmt.execute();

Or

PreparedStatement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)");
stmt.setString(1, user);
stmt.execute();

If “user” came from user input and the user input was

Robert'); DROP TABLE students; --

Then in the first instance, you’d be hosed. In the second, you’d be safe and Little Bobby Tables would be registered for your school.

More Related Contents:

  1. Using setDate in PreparedStatement
  2. How can I get the SQL of a PreparedStatement?
  3. Variable column names using prepared statements
  4. right syntax to use near ‘?’
  5. Does the preparedStatement avoid SQL injection? [duplicate]
  6. How to use prepared statement for select query in Java?
  7. PreparedStatement IN clause alternatives?
  8. How to get the insert ID in JDBC?
  9. Insert & fetch java.time.LocalDate objects to/from an SQL database such as H2
  10. java.util.Date vs java.sql.Date
  11. How do I get the size of a java.sql.ResultSet?
  12. Using “like” wildcard in prepared statement
  13. What is the best approach using JDBC for parameterizing an IN clause? [duplicate]
  14. Where’s my invalid character (ORA-00911)
  15. Getting java.sql.SQLException: Operation not allowed after ResultSet closed
  16. Running a .sql script using MySQL with JDBC
  17. Prevent SQL injection attacks in a Java program
  18. How does Java’s PreparedStatement work?
  19. JDBC Pagination
  20. org.postgresql.util.PSQLException: FATAL: sorry, too many clients already
  21. java.sql.SQLException: No suitable driver found for jdbc:mysql://localhost:3306/dbname [duplicate]
  22. Queries returning multiple result sets
  23. Class.forName(JDBC_DRIVER) no longer needed?
  24. How to prevent SQL Injection with JPA and Hibernate?
  25. Java – Storing SQL statements in an external file [closed]
  26. MS SQL Exception: Incorrect syntax near ‘@P0’
  27. JDBC Prepared Statement . setDate(….) doesn’t save the time, just the date.. How can I save the time as well?
  28. PreparedStatement and setTimestamp in oracle jdbc
  29. Database independence through JDBC in java
  30. Searching between dates in SQL with JDBC?

Leave a Comment