 |
|
|
|
Next: Thoughts on Zend framework?
|
| Author |
Message |
External
Since: Feb 05, 2008
Posts: 2
|
(Msg. 1) Posted: Tue Feb 05, 2008 1:32 pm
Post subject: How to insert a string that contains ' or ,
Archived from groups: comp>lang>java>databases (more info?)
|
|
|
Hello,
i am using the following statement to insert a message from a user
into the database.
updStmt.executeUpdate("INSERT INTO Contact (uId, replyAddr, subject,
msg) "+
"VALUES (" + userId + "," +
"\'" + replyAddr + "\'," +
"\'" + subject + "\'," +
"\'" + msg + "\')");
The variables userId, replyAddr, subject und msg are of type String.
Now if one of the Strings contain a ' or a , character, the sql
statement gets messed up and causes a SqlException. Is there a way
(How) can i store a string that contains ' or , in the database?
Thanks in advance for your assistance. |
|
| Back to top |
|
 | |
External
Since: Feb 05, 2008
Posts: 2
|
(Msg. 2) Posted: Tue Feb 05, 2008 1:56 pm
Post subject: Re: How to insert a string that contains ' or , [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 5 Feb., 22:28, Donkey Hot wrote:
> macit wrote in
> b9d4eaabf....RemoveThis@q21g2000hsa.googlegroups.com:
>
>
>
> > Hello,
>
> > i am using the following statement to insert a message from a user
> > into the database.
>
> > updStmt.executeUpdate("INSERT INTO Contact (uId, replyAddr, subject,
> > msg) "+
> > "VALUES (" + userId + "," +
> > "\'" + replyAddr + "\'," +
> > "\'" + subject + "\'," +
> > "\'" + msg + "\')");
>
> > The variables userId, replyAddr, subject und msg are of type String.
> > Now if one of the Strings contain a ' or a , character, the sql
> > statement gets messed up and causes a SqlException. Is there a way
> > (How) can i store a string that contains ' or , in the database?
> > Thanks in advance for your assistance.
>
> Yes. First google "sql injection" and learn that bad guys can own you and
> your system with the code you provided.
>
> You can use PreparedStatement like
>
> PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES
> SET SALARY = ? WHERE ID = ?");
> pstmt.setBigDecimal(1, 153833.00)
> pstmt.setInt(2, 110592)
>
> You create statemets with placeholders (?), and bind variables ot values to
> those placeholders. That way the variables CAN hold ` or , characters, and
> they do not spoil the SQL statement.
>
> If I ever see a SQL implementation what you showed, I will sack the
> programmer.. Well maybe not, but I will lower his salary, and try to tell
> him about "sql injection".
>
> Never, never, EVER, do not ever build SQL statements dynamically with
> variables like that.
>
> ALWAYS use ? placeholders. That is a pivilege to you as a java-programmer.
> Leave the SQL-injection to those pesky php-guys.
Donkey Hot, thank you for the quick reply,
particularly for the "sql injection' info which seems important.
(havn't heard about it yet - just startet with sql two weeks ago, so
thank you verry much for the hint!) |
|
| Back to top |
|
| |
External
Since: Sep 26, 2007
Posts: 4
|
(Msg. 3) Posted: Tue Feb 05, 2008 6:00 pm
Post subject: Re: How to insert a string that contains ' or , [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
macit wrote in
b9d4eaabffe8.DeleteThis@q21g2000hsa.googlegroups.com:
> Hello,
>
> i am using the following statement to insert a message from a user
> into the database.
>
> updStmt.executeUpdate("INSERT INTO Contact (uId, replyAddr, subject,
> msg) "+
> "VALUES (" + userId + "," +
> "\'" + replyAddr + "\'," +
> "\'" + subject + "\'," +
> "\'" + msg + "\')");
>
> The variables userId, replyAddr, subject und msg are of type String.
> Now if one of the Strings contain a ' or a , character, the sql
> statement gets messed up and causes a SqlException. Is there a way
> (How) can i store a string that contains ' or , in the database?
> Thanks in advance for your assistance.
>
Yes. First google "sql injection" and learn that bad guys can own you and
your system with the code you provided.
You can use PreparedStatement like
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES
SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)
You create statemets with placeholders (?), and bind variables ot values to
those placeholders. That way the variables CAN hold ` or , characters, and
they do not spoil the SQL statement.
If I ever see a SQL implementation what you showed, I will sack the
programmer.. Well maybe not, but I will lower his salary, and try to tell
him about "sql injection".
Never, never, EVER, do not ever build SQL statements dynamically with
variables like that.
ALWAYS use ? placeholders. That is a pivilege to you as a java-programmer.
Leave the SQL-injection to those pesky php-guys. >> Stay informed about: How to insert a string that contains ' or , |
|
| Back to top |
|
| |
External
Since: Aug 20, 2006
Posts: 40
|
(Msg. 4) Posted: Tue Feb 05, 2008 10:17 pm
Post subject: Re: How to insert a string that contains ' or , [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
| Related Topics: | unwanted string truncation - Hi all, my Application (running on windows and linux) connects via jdbc to an elder DB2 v5 (running on AIX) using the COM.ibm.db2.jdbc.net.DB2Driver driver. Everything works fine so far, but sometimes when i retrieve fields defined as CHAR in my..
reducing JDBC String creation? - With some help from this group, I improved my database throughput quite a bit. However, my code now creates a large number of Strings (approximately 4 million in about 3 minutes) in PreparedStatements. I checked the source of String creation with..
Access : Cast a String to Date - HI I have a string s_d initialize with s_d ="31/12/2006" I want to cast to Date d =31/12/2006 ( a French format) then I want to insert into a database as like Access. How can I do that? Thanks for your help
String exceeding length - Getting absolute string length - Hello, I am having a problem when inputting very long strings into a database. The application I am writing can use different databases (thanks to the wonders of JDBC) so this issue has been causing problems on both Oracle and SQL Server. Because one....
setString 32 character limit? - String data right truncation - Hi I have a Java stored procedure that breaks when I enter more than 32 characters for one of the parameters (The parameter in question is called "subject"). The stored procedure takes in several parameters. One of those is a parameter called... |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
