1

I'm using Java for a web application, and I'm working with a MySql database. I need to escape the query before execute it. This is my actual code :

db_result=mydb.selectQuery("SELECT nickname FROM users WHERE nickname='"+log_check_user+"' AND password='"+log_check_pass+"'");

public Vector selectQuery(String query) {
  Vector v = null;
  String [] record;
  int colonne = 0;
  try {
     Statement stmt = db.createStatement();
     ResultSet rs = stmt.executeQuery(query);
     v = new Vector();
     ResultSetMetaData rsmd = rs.getMetaData();
     colonne = rsmd.getColumnCount();

     while(rs.next()) {
        record = new String[colonne];
        for (int i=0; i<colonne; i++) record[i] = rs.getString(i+1);
        v.add( (String[]) record.clone() );
     }
     rs.close();
     stmt.close();
  } catch (Exception e) { e.printStackTrace(); errore = e.getMessage(); }

  return v;
 }

I need this, as you can believe, to avoid the SQL Injection problem! How can I do it?

Improve this question
2
  • What’s db? What kind of object; which class? Depending on the DB driver you use, there may be better ways, like using prepared statements. Commented Nov 10, 2010 at 15:08
  • MySql...i've written it :) jdbc driver! Commented Nov 10, 2010 at 16:25

1 Answer 1

Reset to default
18

Use a prepared statement:

Sometimes it is more convenient to use a PreparedStatement object for sending SQL statements to the database. This special type of statement is derived from the more general class, Statement...

If you want to execute a Statement object many times, it usually reduces execution time to use a PreparedStatement object instead.

The main feature of a PreparedStatement object is that, unlike a Statement object, it is given a SQL statement when it is created. The advantage to this is that in most cases, this SQL statement is sent to the DBMS right away, where it is compiled. As a result, the PreparedStatement object contains not just a SQL statement, but a SQL statement that has been precompiled. This means that when the PreparedStatement is executed, the DBMS can just run the PreparedStatement SQL statement without having to compile it first...

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

+1. Also, Vector is considered to be deprecated, see stackoverflow.com/questions/1386275/…
In all discussions of SQL injection, this link is compulsory: xkcd.com/327

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.