How to prevent sql Injection
// use prepared statement to prevent SQL injection
$preparedStatement = $dbConnection->prepare('SELECT * FROM animals WHERE name = ?');
$preparedStatement->bind_param('s', $name);
$preparedStatement->execute();
$result = $preparedStatement->get_result();
while ($row = $result->fetch_assoc()) {
// Process $row
}
4.6
5
// This should REALLY be validated too
String custname = request.getParameter("customerName");
// Perform input validation to detect attacks
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
Thank you!
5
0
3.5
4
public List<AccountDTO> unsafeFindAccountsByCustomerId(String customerId) throws SQLException { // UNSAFE !!! DON'T DO THIS !!! String sql = "select " + "customer_id,acc_number,branch_id,balance " + "from Accounts where customer_id = '" + customerId + "'"; Connection c = dataSource.getConnection(); ResultSet rs = c.createStatement().executeQuery(sql); // ...}
Thank you!
4
0
Are there any code examples left?
New code examples in category Other