Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

best way of avoiding SQL injection?

843841Dec 5 2005 — edited Dec 5 2005

Hey,

I was wondering what you guys would recommend to prevent SQL injections. Now, I know that you can use the PreparedStatement and setString for cases like this:

String userName  = request.getParameter("username");
String sqlString = "SELECT * FROM UserTable WHERE USERNAME='" + userName ;

but what can you do when you have cases like these:

String userdef_table  = request.getParameter("userdef_table");
String userName  = request.getParameter("username");
String sqlString = "SELECT * FROM "+ userdef_table +" WHERE USERNAME='" + userName ;

Note: userdef_table can be created by the admin so I wont know what tables are around.

thanks,

domet

Locked Post

New comments cannot be posted to this locked post.

Locked on Jan 2 2006

Added on Dec 5 2005

#java-servlet

9 comments

471 views