How should I sanitize database input in Java?

Question

Could someone please point me to a good beginner guide on safely running SQL queries formed partly from user input? I\'m using Java, but a language neutral guide is fine to

Answer 1

Your user input would actually have to be "Bob'; delete from foo; select '" (or something like that) so the implicit quotes added by the prepared statement would be closed:

SELECT * FROM FOO WHERE NAME = 'Bob'; delete from foo; select ''

but if you do that the prepared statement code will quote your quote so you get an actual query of

SELECT * FROM FOO WHERE NAME = 'Bob''; delete from foo; select '''

and your name would be stored as "Bob', delete from foo; select '" instead of running multiple queries.

Answer 2

PreparedStatement? Yes, absolutely. But I think there's one more step: validation of input from UI and binding to objects prior to getting close to the database.

I can see where binding a String in PreparedStatement might still leave you vulnerable to a SQL injection attack:

String userInput = "Bob; DELETE FROM FOO";
String query = "SELECT * FROM FOO WHERE NAME = ?";

PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, userInput);
ps.executeQuery();

I've gotta admit that I haven't tried it myself, but if this is remotely possible I'd say PreparedStatement is necessary but not sufficient. Validating and binding on the server side is key.

I'd recommend doing it with Spring's binding API.

Answer 3

You definitely want to use PreparedStatements. They are convenient. Here is an example.

Answer 4

Normally, you shouldn't create a query concatenating input, but using PreparedStatement instead.

That lets you specify in which places you'll be setting your parameters inside your query, so Java will take care of sanitizing all inputs for you.

Answer 5

Use PreparedStatement instead of Statement