Is there a built-in way to escape user input in java using the JDBC? Something similar to the php version mysql_real_escape() function. What's the best way to validate input?
+14
A:
If you mean how do you make sure user input can't be used in SQL injection attacks, the way to do this (and the way all SQL should be written in JDBC) is using Prepared Statements. JDBC will automatically handle any necessary escaping.
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
skaffman
2008-09-28 11:58:44
+1: Always Use Bind Variables! "Escaping" the input is to assemble dynamic SQL statements is dumb for many reasons.
S.Lott
2008-09-28 13:06:23
The poor chap seems to have been tainted by PHP....
skaffman
2008-09-28 13:16:54
A:
Just to add to the suggestion by @skaffman, PreparedStatements solve the issue for the majority of applications. However, there are some applications where (parts of) SQL statements (as opposed to just parameter values) are taken from user input (for example, a URL parameter containing the ORDER BY clause). Just make sure you sanitize those as well or, better yet, avoid such designs if possible.
Alexander
2008-09-28 13:09:39
This example isn't particularly compelling. if you want to have a user-injectable order-by clause, then have a fixed set of parameter which the application recognises and then has a look up table of column names for each permitted value.
skaffman
2009-04-17 14:22:12