2

how to prevent sql injection i am using below code to login

con = DriverManager.getConnection("", "", "");

Statement  statement = con.createStatement();

ResultSet  rs= statement.executeQuery("SELECT email,pass FROM db_pass where email='" + email + "'and pass='" + password + "'"    );

if (rs.next()) {

    String a=rs.getString(1);
    String b=rs.getString(2);
    rs.close();

it's work fine but when it put (nitin' OR '1'='1) the user is get access without putting valid password

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
Addicted
  • 35
  • 1
  • 10
  • it's working sql query buddy.... – Addicted Apr 28 '12 at 07:41
  • @zero0cool - no space is required at that point. (Sure, it makes it more readable ... but is anyone actually reading is?) – Stephen C Apr 28 '12 at 07:42
  • 1
    possible duplicate of [Prevent SQL injection attacks in a Java program](http://stackoverflow.com/questions/9516625/prevent-sql-injection-attacks-in-a-java-program) ... and many others. – Stephen C Apr 28 '12 at 07:44

4 Answers4

7

Use PreparedStatement. You can find an example in http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

To prevent SQL injection all queries should be parametrized and String concatenation should never be used to create dynamic SQL.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Paul Vargas
  • 41,222
  • 15
  • 102
  • 148
  • +1 - If you use SQL directly from Java (via JDBC), this is definitely the best ... and simplest approach. – Stephen C Apr 28 '12 at 07:46
0

It might be a good idea to use an ORM (object relational mapper). ORMs typically have built-in defenses against SQL injections.

Another great way to prevent sql injections is to use a white list (i.e. a list of acceptable user inputs). When you receive input from a user, check to see if it is in the white list; if it isn't reject it.

In your case, you want to have a white list of possible usernames and a white list of possible password; you can describe a white list of usernames and a white list of passwords using Regular Expressions. Don't homebrew your own Regular Expression though, there are plenty of pre-built Regular Expressions available online. You don't want to make your own because it's easy to make a mistake in its formulation that makes it vulnerable to SQL injection.

Hope this helps, good luck!

Michael
  • 2,031
  • 6
  • 21
  • 27
-1

A typical and easy way to do this would be to compare the results of a hashing operation (md5 or sha1). The query would then look like

SELECT email, pass from db_pass where md5(email)='" + md5(email) + "' and md5(pass)='" + md5(password) + "'"

However, this would mean that you have an md5 function available in the language you are developing this and your DB-System has a md5 function available too (for example, mysql does). Note that this does not make SQL injection completely impossible but is a good basic protection against the example you give.

zero0cool
  • 352
  • 4
  • 11
  • 1
    Bad idea. You protect yourself from injection, but at the cost of making many queries impossible. For instance, you wouldn't be able to do a `LIKE` query to check for `"...@yahoo.com"` email addresses. – Stephen C Apr 28 '12 at 07:39
-1

you need to convert your string , if your string is abc' you should give the string abc'' to sql if your string is in like ''.

gage
  • 109
  • 5