SQL Injection in Java and MySQL when using multiple queries

Question

I\'ve got a web application with an SQL injection as part of an INSERT statement. It looks like this:

INSERT INTO table1 VALUES (\'str1\', 1, \'INJECTION HER         


        

Answer 1

As explained in this post, there are more bad things that can happen to your application than the classic table DROP:

• call a sleep function so that all your database connections will be busy, therefore making your application unavailable
• extracting sensitive data from the DB
• bypassing the user authentication

Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose.