How Should I Sanitize Database Input In Java?

Could someone please point me to a good beginner guide on safely running SQL queries formed partly from user input? I'm using Java, but a language neutral guide is fine too. The

Solution 1:

You definitely want to use PreparedStatements. They are convenient. Here is an example.

Solution 2:

Use PreparedStatement instead of Statement

Solution 3:

Normally, you shouldn't create a query concatenating input, but using PreparedStatement instead.

That lets you specify in which places you'll be setting your parameters inside your query, so Java will take care of sanitizing all inputs for you.

Solution 4:

PreparedStatement? Yes, absolutely. But I think there's one more step: validation of input from UI and binding to objects prior to getting close to the database.

I can see where binding a String in PreparedStatement might still leave you vulnerable to a SQL injection attack:

StringuserInput="Bob; DELETE FROM FOO";
Stringquery="SELECT * FROM FOO WHERE NAME = ?";

PreparedStatementps= connection.prepareStatement(query);
ps.setString(1, userInput);
ps.executeQuery();

I've gotta admit that I haven't tried it myself, but if this is remotely possible I'd say PreparedStatement is necessary but not sufficient. Validating and binding on the server side is key.

I'd recommend doing it with Spring's binding API.

Solution 5:

Your user input would actually have to be "Bob'; delete from foo; select '" (or something like that) so the implicit quotes added by the prepared statement would be closed:

SELECT*FROM FOO WHERE NAME ='Bob'; deletefrom foo; select''

but if you do that the prepared statement code will quote your quote so you get an actual query of

SELECT*FROM FOO WHERE NAME ='Bob''; delete from foo; select '''

and your name would be stored as "Bob', delete from foo; select '" instead of running multiple queries.