PreparedStatement
The PreparedStatement interface is used to execute dynamic SQL statements. The standard JDBC PreparedStatement interface may be used or the OraclePreparedStatement may be used if Oracle specific data types or other Oracle extensions are required.
A PreparedStatement that is vulnerable to SQL injection may look something like this –
String name = request.getParameter("name");
PreparedStatement pstmt =
conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')");
pstmt.execute();
pstmt.close();
To prevent SQL injection, a bind variable must be used –
PreparedStatement pstmt =
conn.prepareStatement ("insert into EMP (ENAME) values (?)");
String name = request.getParameter("name");
pstmt.setString (1, name);
pstmt.execute();
pstmt.close();
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment