views:

198

answers:

4

I want something that can check if a string is "SELECT", "INSERT", etc. I'm just curious if this exists.

+1  A: 

why not start with this stored procedure and modify it to suit your needs, possibly even convert it to Java using the hashmap as Steve suggested.

Personally I like the idea of a stored procedure because different databases may have different keywords so it seems elegant to have the database pass judgement

Richard Harrison
+4  A: 

Easy enough to add :

    HashSet<String>  sqlKeywords =
     new HashSet<String>(Arrays.asList(
       new String[] { ... cut and paste a list of sql keywords here ..  }));
Steve B.
+3  A: 

If you're trying to prevent SQL injection, it would be better to leverage the built in features of JDBC, such as prepared statements. In general, using string concatenation to form the SQL statement is dangerous. From Preventing SQL Injection in Java:

Prepared Statements:

String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();
Chase Seibert
+1  A: 

DatabaseMetaData.getSQLKeywords will return the databases keywords that are not in SQL-2003 (SQL-2003 keyword can be found in the standard). There are other methods within that interface for getting various types of function names and similar.

As Chase Seibert mentions, don't think this is an effective way to block SQL injection attacks.

Tom Hawtin - tackline