Possible Duplicate:
Java - escape string to prevent SQL injection
I know php has a function called "addslashes()" which is fairly effective, but does Java Server Pages (JSP) have an equivalent when dealing with forms?
Asked
Active
Viewed 4,547 times
1
-
1Addslashes is actually a poor practice. `mysql_real_escape_string()` should be preferred or, better, just prepared statements (PDO). Note that writing raw Java code in a JSP file instead of a Java class is a poor practice as well ;) This is not a JSP problem/issue at all, but a Java/JDBC one. – BalusC Feb 21 '11 at 16:27
-
Note: "fairly effective" is *not effective*. `addslashes` is not in any way designed for security -- it's made for convenience. It just helps noobs write bad PHP to generate semi-valid MySQL without taxing their brain cells too much. It's not even close to secure, and only protects against the most basic of attacks -- and it's totally useless if you use a DBMS other than MySQL (unless that system allows backslashes to escape stuff, *which is not standard SQL*). – cHao Feb 21 '11 at 16:28
-
By the way, is this your classmate? http://stackoverflow.com/questions/5065364/whats-the-equivalent-of-addslashes-in-jsp-servlets The very same question was asked before today, also with an `addslashes()` reference (while this kind question with a PHP reference has never been asked in years here). – BalusC Feb 21 '11 at 16:31
1 Answers
1
See this answer on howto prevent SQL injection Java - escape string to prevent SQL injection
-
Thanks for the tip! I will update if I can't work it out/does not solve the issue. – Dech Feb 21 '11 at 18:58