commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Serge Knystautas <ser...@lokitech.com>
Subject Re: Checking if a String is both HTML and SQL safe
Date Sun, 31 Aug 2003 03:53:52 GMT
Marcelo Bello wrote:
> select * from users where username='<USER INPUT>';
> 
> But then a user could input something nasty and execute some arbitrary SQL 
> statement after the select statement. (Imagine if the user input something 
> like '; <arbitrary sql statement>;)

This is the primary use of PreparedStatements.  See the example in the 
JavaDocs.

-- 
Serge Knystautas
President
Lokitech >>> software . strategy . design >> http://www.lokitech.com
p. 301.656.5501
e. sergek@lokitech.com


Mime
View raw message