2

I was just googling for "how to add records into a database with ' in them" and then stumbled upon a possible vulnerability to my program, "sql injection". I don't know much about this; I saw it first on this page. People are saying something about parametrized query.

Here is my code in java:

 public int addItem(String name, String manufacturer, String desc, String id, String category, double cost) throws SQLException{
    String additem = "INSERT INTO item VALUES(" + addComma(returnInQuotes(id)) + addComma(returnInQuotes(name)) + addComma(returnInQuotes(manufacturer)) +
    addComma(returnInQuotes(desc)) + addComma(returnInQuotes(category)) + cost + ")";
    Statement statement = con.createStatement();
    return statement.executeUpdate(additem);
}

public int removeItemById(String id) throws SQLException{
    String removeitembyid = "DELETE FROM item WHERE id = " + returnInQuotes(id);
    Statement statement = con.createStatement();
    return statement.executeUpdate(removeitembyid);
}

private String returnInQuotes(String str){
    return  "'" + str + "'";
}

private String addComma(String str){
    return str + ",";
}

addComma and returnInQuotes are methods I made because I was sick of typing them in in the methods that need them.

So far I've tried my queries without the quotes, derby jdbc doesn't seem to work without them.

Community
  • 1
  • 1
user3259014
  • 21
  • 3
  • 1
    Have a look at [http://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection](http://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection) – PbxMan Apr 19 '14 at 11:45
  • use parameters placeholder; just google around and you'll find a lot of stuff – Luca Basso Ricci Apr 19 '14 at 11:51

2 Answers2

4

SQL Injection can be used when you directly use user input for your sql statements, a good way to overcome this vulnerability is to use PreparedStatement in Java:

public int addItem(String name, String manufacturer, String desc, String id, String category, double cost) throws SQLException{
    String additem = "INSERT INTO item VALUES (?, ?, ?, ?, ?, ?)";
    PreparedStatement statement = con.prepareStatement(additem);
    statement.setString(1, id);
    statement.setString(2, name);
    statement.setString(3, manufacturer);
    statement.setString(4, desc);
    statement.setString(5, category);
    statement.setDouble(6, cost);
    return statement.executeUpdate();
}

public int removeItemById(String id) throws SQLException{
    String removeitembyid = "DELETE FROM item WHERE id = ?";
    PreparedStatement statement = con.prepareStatement(removeitembyid);
    statement.setString(1, id);
    return statement.executeUpdate();
}

You also don`t need to add quotes yourself, they are added automatically.

user432
  • 3,506
  • 17
  • 24
2

No, your code is not safe. You need to change this method to escape embedded apostrophes:

private String returnInQuotes(String str){
    return "'" + str.replace("'", "''") + "'";
}

Otherwise, an id such as this:

1'; delete from item where 'a' = 'a

Would have disastrous effects if your driver allows multiple statements to be executed in one call.

However, the best way to protect against injection is to use prepared statements and set parameter values; the driver handles the quoting for you.

Bohemian
  • 412,405
  • 93
  • 575
  • 722