The most common mistake about preventing sql injection is using string concatanating on prepared statements.
Let's look at the following example:
String input = request.getParamater(""xxx"");
String x =""SELECT * FROM passwords WHERE user="" + input; // Code is vulnarable to sql injection due to concatanating,
PreparedStatement stmt = conn.prepareStatement(x); //at this case prepared statement does not escape concat string and prevention fails.
ResultSet results = stmt.executeQuery();"
No comments:
Post a Comment