24 lines
992 B
Plaintext
24 lines
992 B
Plaintext
== Immutable Queries
|
|
|
|
These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
|
|
|
|
=== Static Queries
|
|
-------------------------------------------------------
|
|
select * from products;
|
|
-------------------------------------------------------
|
|
|
|
-------------------------------------------------------
|
|
select * from users where user = "'" + session.getAttribute("UserID") + "'";
|
|
-------------------------------------------------------
|
|
|
|
=== Parameterized Queries
|
|
-------------------------------------------------------
|
|
String query = "SELECT * FROM users WHERE last_name = ?";
|
|
PreparedStatement statement = connection.prepareStatement(query);
|
|
statement.setString(1, accountName);
|
|
ResultSet results = statement.executeQuery();
|
|
-------------------------------------------------------
|
|
|
|
=== Stored Procedures
|
|
Only if stored procedure does not generate dynamic SQL
|