java - Does the preparedStatement avoid SQL injection? -
i have read , tried inject vulnerable sql queries application. not safe enough. using statement connection database validations , other insertion operations.
is preparedstatements safe? , there problem statement too?
using string concatenation constructing query arbitrary input not make preparedstatement
safe. take @ example:
preparedstatement = "select * users name = '" + username + "';";
if puts
' or '1'='1
as username
, preparedstatement
vulnerable sql injection, since query executed on database as
select * users name = '' or '1'='1';
so, if use
preparedstatement = "select * users name = ?"; preparedstatement.setstring(1, username);
you safe.
some of code taken this wikipedia article.
Comments
Post a Comment