views:

596

answers:

2

Is there a built-in way to escape user input in java using the JDBC? Something similar to the php version mysql_real_escape() function. What's the best way to validate input?

+14  A: 

If you mean how do you make sure user input can't be used in SQL injection attacks, the way to do this (and the way all SQL should be written in JDBC) is using Prepared Statements. JDBC will automatically handle any necessary escaping.

http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html

skaffman
+1: Always Use Bind Variables! "Escaping" the input is to assemble dynamic SQL statements is dumb for many reasons.
S.Lott
The poor chap seems to have been tainted by PHP....
skaffman
A: 

Just to add to the suggestion by @skaffman, PreparedStatements solve the issue for the majority of applications. However, there are some applications where (parts of) SQL statements (as opposed to just parameter values) are taken from user input (for example, a URL parameter containing the ORDER BY clause). Just make sure you sanitize those as well or, better yet, avoid such designs if possible.

Alexander
This example isn't particularly compelling. if you want to have a user-injectable order-by clause, then have a fixed set of parameter which the application recognises and then has a look up table of column names for each permitted value.
skaffman