Java – escape string to prevent SQL injection

by

PreparedStatements are the way to go, because they make SQL injection impossible. Here’s a simple example taking the user’s input as the parameters:

public insertUser(String name, String email) {
   Connection conn = null;
   PreparedStatement stmt = null;
   try {
      conn = setupTheDatabaseConnectionSomehow();
      stmt = conn.prepareStatement("INSERT INTO person (name, email) values (?, ?)");
      stmt.setString(1, name);
      stmt.setString(2, email);
      stmt.executeUpdate();
   }
   finally {
      try {
         if (stmt != null) { stmt.close(); }
      }
      catch (Exception e) {
         // log this error
      }
      try {
         if (conn != null) { conn.close(); }
      }
      catch (Exception e) {
         // log this error
      }
   }
}

No matter what characters are in name and email, those characters will be placed directly in the database. They won’t affect the INSERT statement in any way.

There are different set methods for different data types — which one you use depends on what your database fields are. For example, if you have an INTEGER column in the database, you should use a setInt method. The PreparedStatement documentation lists all the different methods available for setting and getting data.

More Related Contents:

  1. How do i find the first un-escaped quotes in Java?
  2. How to escape text for regular expression in Java
  3. How does a PreparedStatement avoid or prevent SQL injection?
  4. Escaping special characters in Java Regular Expressions
  5. Prevent SQL injection attacks in a Java program
  6. Why String.replaceAll() in java requires 4 slashes “\\\\” in regex to actually replace “\”?
  7. How to prevent SQL Injection with JPA and Hibernate?
  8. How to implement a SQL like ‘LIKE’ operator in java?
  9. How to escape a square bracket for Pattern compilation?
  10. Remove all occurrences of \ from string
  11. split US phone number in java? [closed]
  12. how to write regex for this expression in java
  13. Regular expression for SSN and phone number [closed]
  14. Incrementing only the digits from an alphanumeric string
  15. Insert & fetch java.time.LocalDate objects to/from an SQL database such as H2
  16. How to enter quotes in a Java string?
  17. Regex to match only commas not in parentheses?
  18. Java Regex Replace with Capturing Group
  19. How to use regex in String.contains() method in Java
  20. Detect and extract url from a string?
  21. What is the regex for “Any positive integer, excluding 0”
  22. Is Java Regex Thread Safe?
  23. How do I escape a string in Java?
  24. Escape double quotes in Java [duplicate]
  25. How can I avoid ResultSet is closed exception in Java?
  26. Regular Expression for matching parentheses
  27. Replace a String between two Strings
  28. Does Pattern.compile cache?
  29. Regex to remove spaces between numbers only
  30. Regex Pattern Catastrophic backtracking

Leave a Comment