-1

In PHP we have santize to ensure String is safe. What is the similar thing for Java. I know PreparedStatement . But it will not help me in my project. Is there is something that checks only letters are there in String .

query = "SELECT  Bill_No,No,Item,Count,Rate,GST,Net,Date,Time,Manager FROM bill WHERE Manager = '"+Manager_str+"';  ";
//This is definitely insecure
M A
  • 71,713
  • 13
  • 134
  • 174
JOY SAM RAJ
  • 31
  • 6
  • 6
    Why PreparedStatement does not help? – M A Apr 05 '21 at 12:01
  • 1
    Also in PHP using [prepared statements](https://www.php.net/manual/en/pdo.prepared-statements.php) preferably with [PDO](https://www.php.net/manual/en/book.pdo.php) or [mysqli](https://www.php.net/manual/en/mysqli.prepare.php) is better idea than just sanitizing incoming data. – biesior Apr 05 '21 at 12:21
  • If you know about prepared statements, use them and bind values to parameters in those queries. Trying to build a query string from unknown values at run time is the absolute wrong approach to sql. – Shawn Apr 05 '21 at 13:14

2 Answers2

0

The Character class has a method isAlphabetic, which you may use by looping the characters in your input string.

for(char c : query.toCharArray()) {
    if(!Character.isAlphabetic(c)) {
        return false;
    }
}
return true;

If you are using Java 8 or above, you could use streams:

return query.chars().allMatch(Character::isAlphabetic);
Gautham M
  • 4,816
  • 3
  • 15
  • 37
  • While technichally true it is not a good idea to manually sanitize sql input. The next requirement will be that a `Manager` can now contain any character, the dev removes this check and ***boom*** ... sql injection – luk2302 Apr 05 '21 at 13:13
  • @KajHejer That would return `true` if atleast one character is a letter. It should be `query.chars().allMatch(Character::isAlphabetic)` – Gautham M Apr 05 '21 at 13:43
  • @luk2302, that is true. But my answer was more intended towards "Is there something that checks only letters are there in String" part of the question. – Gautham M Apr 05 '21 at 13:47
  • @GauthamM Thanks for your comment about the bug in my code! I have deleted my comment. – Kaj Hejer Apr 05 '21 at 16:13
0

try this.

public static void main(String args[]) {
    String str="sadahkk";
    System.out.println("str :"+str +" , isAlphabetsOnly:"+isAlphabetsOnly(str));
    str="";
    System.out.println("str :"+str +" , isAlphabetsOnly:"+isAlphabetsOnly(str));
    str="sada5hkk";
    System.out.println("str :"+str +" , isAlphabetsOnly:"+isAlphabetsOnly(str));
    str="<alert>";
    System.out.println("str :"+str +" , isAlphabetsOnly:"+isAlphabetsOnly(str));
    str="-- sadahkk";
    System.out.println("str :"+str +" , isAlphabetsOnly:"+isAlphabetsOnly(str));
    str="@fgfg";
    System.out.println("str :"+str +" , isAlphabetsOnly:"+isAlphabetsOnly(str));

}
public static boolean isAlphabetsOnly(String str ) {
    return ((!str.equals(""))
            && (str != null)
            && (str.matches("^[a-zA-Z]*$")));
}

=======================================================

output as follows

str :sadahkk , isAlphabetsOnly:true

str : , isAlphabetsOnly:false

str :sada5hkk , isAlphabetsOnly:false

str : , isAlphabetsOnly:false

str :-- sadahkk , isAlphabetsOnly:false

str :@fgfg , isAlphabetsOnly:false

Joshy Paily
  • 19
  • 5