发表新帖
发表新帖

How to escape user-supplied parameters with a SQL query?

后端 未结
关注
1 1622
迷失自我
迷失自我 2020-12-20 16:20

Trying to get started with JDBC (using Jetty + MySQL). I\'m not sure how to escape user-supplied parameters in a SQL statement. Example:

String username = ge
相关标签:
1条回答
  • 醉话见心
    2020-12-20 16:36

    Use Prepared statement.

    for example : 

    con.prepareStatement("update Orders set pname = ? where Prod_Id = ?");
pstmt.setInt(2, 100);
pstmt.setString(1, "Bob");
pstmt.executeUpdate();

    It will prevent raw SQL injection

    If you want to escape sql string then check for StringEscapeUtils.escapeSql(). Note that that this method was deprecated in Commons Lang 3.

    Also See

    • does-using-preparedstatement-mean-there-will-not-be-any-sql-injection
    0 讨论(0)
 看不清?
提交回复
热议问题