Does the preparedStatement avoid SQL injection?

java jdbc prepared-statement sql-injection
Mohamed Saligh picture Mohamed Saligh · Dec 2, 2010 · Viewed 29.4k times · Source

I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations.

Is the preparedStatements safe? and moreover will there be any problem with this statement too?

Answer

darioo picture darioo · Dec 2, 2010

Using string concatenation for constructing your query from arbitrary input will not make PreparedStatement safe. Take a look at this example:

preparedStatement = "SELECT * FROM users WHERE name = '" + userName + "';";

If somebody puts

' or '1'='1

as userName, your PreparedStatement will be vulnerable to SQL injection, since that query will be executed on database as

SELECT * FROM users WHERE name = '' OR '1'='1';

So, if you use

preparedStatement = "SELECT * FROM users WHERE name = ?";
preparedStatement.setString(1, userName);

you will be safe.

Some of this code taken from this Wikipedia article.

Related questions

How does a PreparedStatement avoid or prevent SQL injection?

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise?

Read More
PreparedStatement IN clause alternatives?

What are the best workarounds for using a SQL IN clause with instances of java.sql.PreparedStatement, which is not supported for multiple values due to SQL injection attack security issues: One ? placeholder represents one value, rather than a list …

Read More
Get query from java.sql.PreparedStatement

In my code I am using java.sql.PreparedStatement. I then execute the setString() method to populate the wildcards of the prepared statement. Is there a way for me to retrieve (and print out) the final query before the executeQuery() …

Read More