0

I am coding an interface which manages a database with all DML and some DDL features. One feature should be, that an admin can add users to the database with specified priviledges. I know how to grant priviledges in sql i only need it done via a java application.

So is there a way to get this done safely? It probably will work with a simple executeUpdate

String cu = "create user"+userName+" identified by "+pw+";";
Statement stmt; 
stmt = con.createStatement();
stmt.executeUpdate(query);

but this opens my ass for injections. Is there a way to get this done safely by a preexisting method ? Please help me out, mighty stackoverflow community :)

Improve this question

2 Answers 2

Reset to default
1

Yes, there is a better way of doing this. Use PrepredStatement instead of Statement.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thanks i didnt notice the possibilities of using preparedstatement. i didnt think of putting the wildcards anywhere, sorry for not thinking of consulting the oradocs myself, should have come to my mind :S
1

You need gap and quation ' for password,

 String cu = "create user "+userName+" identified by '"+pw+"';";
                         |
                         |_put gap here
Improve this answer

1 Comment

this was just a quick sample of my thoughts i know the syntax, but thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.