for xss attack prevention do i use prepared statement or callable statement

Question

String getDBUSERByUserIdSql = "{call getDBUSERByUserId(?,?,?,?)}";

    try {
        dbConnection = getDBConnection();
        callableStatement = dbConnection.prepareCall(getDBUSERByUserIdSql);

        callableStatement.setInt(1, 10);
        callableStatement.registerOutParameter(2, java.sql.Types.VARCHAR);
        callableStatement.registerOutParameter(3, java.sql.Types.VARCHAR);
        callableStatement.registerOutParameter(4, java.sql.Types.DATE);

        // execute getDBUSERByUserId store procedure
        callableStatement.executeUpdate();

or

prepared statements

XSS is not related to SQL Injection; it requires a totally different approach which isn't provided by a database or its driver. — Mark Rotteveel, Apr 09 '14 at 11:44

score 1 · Answer 1 · answered Apr 09 '14 at 11:42

1

You'd use preparedStatement, although this is for SQLi prevention rather than XSS

answered Apr 09 '14 at 11:42

David

19,577
28
108
128

score 1 · Answer 2 · edited May 23 '17 at 11:45

1

First you need to understand differences between preparedStatement and callableStatement ,

PreparedStatement Use when you plan to use the SQL statements many times. The PreparedStatement interface accepts input parameters at runtime.

CallableStatement Use when you want to access database stored procedures. The CallableStatement interface can also accept runtime input parameters.

And to avoid **XSS** you could prefer preparedStatement as David said . refer here

Hope this helps !!

edited May 23 '17 at 11:45

Community

1
1

answered Apr 09 '14 at 12:05

Santhosh

8,181
4
29
56

And still XSS is the wrong term - cross site scritping is usually referring to attacks in the browser. What you like to prevent is SQL-Injection - and this is completely 100% safely avoided by using Bind-Variables! – Falco Apr 09 '14 at 14:16

for xss attack prevention do i use prepared statement or callable statement

2 Answers2