Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Prevent SQL Injection Attack

843841Feb 20 2004 — edited Aug 20 2007

Hi,

Lets say I have a login page using jsp or servlet. and this is the sql statement that will be used to query the database

String userName = request.getParameter("username");
String passWord = request.getParameter("password");
String sqlString = "SELECT * FROM UserTable WHERE USERNAME='" + userName
                                "' AND PASSWORD='" + passWord + "'";

What is a good approarch to prevent SQL injection attack?

I am thinking of using StringTokenizer to validate the sqlString up to the 4th single quote before being used on stmt.executeQuery(sqlString). Anything after the 4th single quote will be discarded.

Does anyone have any better ideas?

Locked Post

New comments cannot be posted to this locked post.

Locked on Sep 17 2007

Added on Feb 20 2004

#java-servlet

18 comments

756 views