0

I've been working with MySQL on a semi-sophisticated level for a while now.

I was doing some more research on it, when I came across this http://bobby-tables.com/java.html.

I am now wondering if it is unsafe to not use the methods such as .setInt() which replace the "?" characters in the prepared statement strings with variables.

The project I am currently working on can not use those methods, so I manually put my variables into the queries. Is this somehow unsafe? And if so, is there a way to fix it without using those methods?

Thanks!

C_Neth
  • 696
  • 2
  • 9
  • 23
  • 1
    *Is this somehow unsafe?* **Yes**. *And if so, is there a way to fix it without using those methods?* ***Sanitize*** user inputs (which is usually *harder* than using `PreparedStatement`s and bind parameters). – Elliott Frisch Jan 30 '16 at 02:53
  • 2
    Check this out http://stackoverflow.com/questions/4333015/does-the-preparedstatement-avoid-sql-injection – uncaught_exception Jan 30 '16 at 02:59
  • "*The project I am currently working on can not use those methods*" - wat. – dimo414 Jan 30 '16 at 03:08
  • @dimo414 I'm making a "MySQL Lib" that makes MySQL easier to use in java, and trying to give it as much flexibility as possible. Therefore for each MySQL column type, I have a different class. I guess I'm going to have to figure out how to implement this. – C_Neth Jan 30 '16 at 03:36
  • Is there a method within the PreparedStatement that would work for any datatype? That would actually be amazing. – C_Neth Jan 30 '16 at 03:38
  • 2
    You might be looking for [reflection](https://docs.oracle.com/javase/tutorial/reflect/index.html). But there is truly no point in a MySQL library that sacrifices data sanitization. I'm all for improving on JDBC, but be sure it's actually an *improvement*. – dimo414 Jan 30 '16 at 03:48
  • @dimo414 I don't see how reflection would help here heh. And yea, I am pretty bummed out considering I've spent literal days of work on this to find it has a major security exploit. Looks like I have a lot more work to do now – C_Neth Jan 30 '16 at 03:51

0 Answers0