I'm using Java for a web application, and I'm working with a MySql database. I need to escape the query before execute it. This is my actual code :
db_result=mydb.selectQuery("SELECT nickname FROM users WHERE nickname='"+log_check_user+"' AND password='"+log_check_pass+"'");
public Vector selectQuery(String query) {
Vector v = null;
String [] record;
int colonne = 0;
try {
Statement stmt = db.createStatement();
ResultSet rs = stmt.executeQuery(query);
v = new Vector();
ResultSetMetaData rsmd = rs.getMetaData();
colonne = rsmd.getColumnCount();
while(rs.next()) {
record = new String[colonne];
for (int i=0; i<colonne; i++) record[i] = rs.getString(i+1);
v.add( (String[]) record.clone() );
}
rs.close();
stmt.close();
} catch (Exception e) { e.printStackTrace(); errore = e.getMessage(); }
return v;
}
I need this, as you can believe, to avoid the SQL Injection problem! How can I do it?
Use a prepared statement :
Sometimes it is more convenient to use a
PreparedStatement
object for sending SQL statements to the database. This special type of statement is derived from the more general class,Statement
...If you want to execute a
Statement
object many times, it usually reduces execution time to use aPreparedStatement
object instead.The main feature of a
PreparedStatement
object is that, unlike aStatement
object, it is given a SQL statement when it is created. The advantage to this is that in most cases, this SQL statement is sent to the DBMS right away, where it is compiled. As a result, thePreparedStatement
object contains not just a SQL statement, but a SQL statement that has been precompiled. This means that when thePreparedStatement
is executed, the DBMS can just run thePreparedStatement
SQL statement without having to compile it first...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.