Skip to content

Instantly share code, notes, and snippets.

@guilhermesilveira
Last active December 16, 2015 04:49
Show Gist options
  • Save guilhermesilveira/5379996 to your computer and use it in GitHub Desktop.
Save guilhermesilveira/5379996 to your computer and use it in GitHub Desktop.
SQL Injection Example
Criteria criteria = session.createCriteria(User.class);
criteria.add(eq("email", email);
criteria.add(eq("password", password);
User found = criteria.setMaxResults(1).uniqueResult();
String sql = "select * from User where email=? and password=?";
PreparedStatement stmt = con.prepareStatement(sql);
stmt.setParameter(1, email).setParameter(2, password);
ResultSet result = stmt.execute();
String email = request.getParameter("email");
if(email != null) email = email.replace("'", "\\'");
public class SimpleServlet extends HttpServlet {
public void service(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String email = request.getParameter("email");
String password = request.getParameter("password");
String sql = "select * from User where email='" + email + "' and password='" + password + "'";
Connection con = // grab a connection;
ResultSet result = con.prepareStatement(sql).execute();
// reads the user
con.close();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment