Re: Re: JDBC protections against SQL Injection

[Pete Jansson <petej () clickvision com>]

On Thu, Mar 19, 2009 at 1:04 AM,  <jjs_ritasa () verizon net> wrote:
> > > 2009/3/16  <lister () lihim org>:
> > > > > I've heard this preached before.
> > > > >
> > > > > Using JDBC properly can help protect against SQL Injection.
> > > > >
> > > > > What protections does JDBC provide?
>
> I just posted a blog on this thread at:
>
> http://realeyes-tech.blogspot.com/2009/03/database-security.html

Some of the responses to your blog post caught this, but I didn't see
any of the responses on this list mention it -- JDBC provides
parameterized queries which prevent SQL injection.  That's the answer
to the OP's question.

On your blog, Ken van Wyk pointed out that, just because parameterized
queries prevent SQL injection, the input should still be validated
because of other potential application-level evil, such as cross-site
scripting. Your blog post also made good points about input
validation.

Getting data into SQL queries by any means other than parameters is
100% FAIL, and every application developer should know better by now.
As a community, we need to do a better job of getting the word out,
because this should have been the first answer to the OP's question,
with four or five people writing "me too!"