0

I'm doing a simple register form and I need to pass some parmeters in url, however I'm concerned about the security in java. in PHP I used to use

mysql_escape_string

To make sure no special characters is passed to the variable. however I'm not sure if thats needed in Java.

the question is : is it safe to use request.getAttribute(arg0) directly or do I need to secure it using some special method ?

Rupesh Yadav
  • 12,096
  • 4
  • 53
  • 70
Lamis
  • 456
  • 3
  • 9
  • 19
  • possible duplicate of [Java - escape string to prevent SQL injection](http://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection) – BalusC Dec 20 '12 at 13:03

1 Answers1

2

There is an answer to that question in Java - escape string to prevent SQL injection.

I believe that the best thing to do is not to encode your command as a string, but to use a PreparedSatements and set the parameter using its methods, like SetInteger, SetBoolean as so on.

Community
  • 1
  • 1
rlinden
  • 2,053
  • 1
  • 12
  • 13
  • Ok thanks. will do so, just I want to make sure we wont get hacked because of something stupid I do .. – Lamis Jun 04 '12 at 12:06
  • 1
    Prepared statements instead of escaping is indeed the way to go. That also applies to PHP btw (mysqli and PDO support them) – ThiefMaster Jun 04 '12 at 12:07
  • I also found this class for escaping string http://wiki.vnetpublishing.com/Java_Mysql_Real_Escape_String – Lamis Jun 04 '12 at 12:07
  • 2
    It is an interesting class, but I believe that it goes a long way to do the same thing that PreparedStatements and its methods does a lot better. One thing that I learned during my years at developing is that reinventing the wheel usually results in a poorer wheel. – rlinden Jun 04 '12 at 12:17