What better way to check SQL injection of names field, names tables in JdbcTemplate.batchUpdate?

Question

In insert query I use SEQUENCE, because of this I refused to use SimpleJdbcInsert....executeBatch(data);

String sql = "INSERT INTO "+ schema +"."+ tableName +" (id, " + fieldName1 + ", " + fieldName2 + ") VALUES (BUF_SEQ.nextval, ?, ?)";
List<Object[]> recordValues = new ArrayList<Object[]>();
//... add values of records to recordValues list

// run bash update for insert
jdbcTemplate.batchUpdate(sql, recordValues);

Maybe someone can suggest a better way use Springframework jdbc? To insert a large number of records. To test the field names in the SQL injection. ?

You just cannot do it like that. You have to specify name of your table and columns when building your statement. — Branislav Lazic, Aug 07 '15 at 09:08

score 2 · Answer 1 · edited May 23 '17 at 11:51

2

1) Instead of calling sequence in your insert query, create a trigger on id column of the table for insert. Take ref : How to create id with AUTO_INCREMENT on Oracle?
2) Now use Batch update of spring to do bulk insertion i.e. jdbcTemplate.batchUpdate
In your insert query now you no longer need to define id, every time you make insertion on the table, trigger will be fired and id will be incremented.
3) Use Prepared Statement for insert query in order to avoid sql injection.

edited May 23 '17 at 11:51

Community

1
1

answered Aug 07 '15 at 09:19

Amit Bhati

5,569
1
24
45

Prepared statements cannot protect you against SQL injection using object names (table and column names, etc). The only solid way is to either use a whitelist, or check against the `DatabaseMetaData`) – Mark Rotteveel Aug 07 '15 at 16:33

What better way to check SQL injection of names field, names tables in JdbcTemplate.batchUpdate?

1 Answers1