Skip to content

Instantly share code, notes, and snippets.

@ferromir

ferromir/gist:757c30d1d6d524a002d6

Created March 20, 2015 06:01
Show Gist options
  • Save ferromir/757c30d1d6d524a002d6 to your computer and use it in GitHub Desktop.
Save ferromir/757c30d1d6d524a002d6 to your computer and use it in GitHub Desktop.
Download ZIP
ACR - Java - SQL Injection
Raw
gistfile1.java
// Insecure code
String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName");
ResultSet results = statement.executeQuery( query );
// Defense using prepared statements
String custname = request.getParameter("customerName"); // This should REALLY be validated too
// perform input validation to detect attacks
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment