commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcelo Bello <>
Subject Re: Checking if a String is both HTML and SQL safe
Date Sat, 30 Aug 2003 01:08:24 GMT
OK, I will explain better.

I am not actually allowing users to freely write SQL statemente 
themselves. But I obviously use input data to generate SQL statements.

Something like:

select * from users where username='<USER INPUT>';

But then a user could input something nasty and execute some arbitrary SQL 
statement after the select statement. (Imagine if the user input something 
like '; <arbitrary sql statement>;)

Some of you said that PreparedStatements (I use it) is safe against this 
kind of things but are you really sure? The Java API doesn't explicitly 
say that.


Marcelo Bello

On Fri, 22 Aug 2003, Serge Knystautas wrote:

> Marcelo Bello wrote:
> > I am developing a web application that MUST be safe.
> > 
> > I am searching for a Java lib that can check a string to be both:
> > 
> > - HTML safe (replacing '<' with '&gt' etc... );
> > - SQL safe;
> > 
> > SQL safeness is critical, because string typed by the user will be used to
> > generate a SQL statement. I can't allow users to input a "malicious"
> > string that would end up allowing them to execute arbitrary SQL
> > statements.
> Can you expand on SQL safe?  Normally in Java you would use 
> PreparedStatements and have the user data set as parameters, so a user 
> doesn't actually write the SQL themselves.  But if you are letting 
> someone write the SQL themselves, then what "safe" do you mean?  select 
> only these tables?  select and update?  select update delete but not 
> bulk delete?  insert?

View raw message