Eliminating the problem
Posted Jun 1, 2006 14:31 UTC (Thu) by iabervon
In reply to: Eliminating the problem
Parent article: SQL injection vulnerabilities in PostgreSQL
The thing I find even stranger is that it's pretty simple to write an equivalent for StringBuffer that has different methods for appending SQL text and constants, and automatically handles formatting for PreparedStatements. So:
SQLBuffer buffer = new SQLBuffer();
buffer.append("select * from user_acct where username = ").
add(username).append(" and password = ").
PreparedStatement stmt = connection.prepareStatement(buffer.getSQL());
That way, you don't have to worry about getting the variables mixed up, or dealing with the fact that you can't really trust the database driver to handle a java.util.Date.
The example you gave isn't as compact in this form, but that difference goes away if you've got queries where some clause is optional.
to post comments)