Java 17 Recipes


-7. Guarding Against SQL Injection


Download 3.2 Mb.
Pdf ko'rish
bet229/245
Sana02.06.2024
Hajmi3.2 Mb.
#1839910
1   ...   225   226   227   228   229   230   231   232   ...   245
Bog'liq
Java 17 Recipes

12-7. Guarding Against SQL Injection
 Problem
Your application performs database tasks. To reduce the chances of a SQL injection 
attack, you need to ensure that no unfiltered strings of text are being appended to SQL 
statements and executed against the database.
Tip although prepared statements are the solution to this recipe, they can be 
used more than protecting against sQL injection. they also provide a way to 
centralize and better control the sQL used in an application. instead of creating 
multiple, possibly different, versions of the same query, for example, you can 
create the query once as a prepared statement and invoke it from many different 
places throughout your code. any change to the query logic needs to happen only 
when you prepare the statement.
 Solution
Use PreparedStatement objects for performing the database tasks. They send a 
precompiled SQL statement to the DBMS rather than a string. The following code 
demonstrates how to perform a database query and a database update using a
java.sql.PreparedStatement object.
In the following code example, PreparedStatement queries a database for a given 
record. Assume that the a String[] of recipe numbers is passed to this code as a 
variable.
Chapter 12 Working With Databases


449
private static void queryDbRecipe(String[] recipeNumbers) {
String sql = "SELECT ID, RECIPE_NUMBER, RECIPE_NAME, DESCRIPTION "
+ "FROM RECIPES "
+ "WHERE RECIPE_NUMBER = ?";
try (PreparedStatement pstmt = conn.prepareStatement(sql)) {
for (String recipeNumber : recipeNumbers) {
pstmt.setString(1, recipeNumber);
ResultSet rs = pstmt.executeQuery();
while (rs.next()) {
System.out.println(rs.getString(2) + ": " + rs.getString(3)
+ " - " + rs.getString(4));
}
}
} catch (SQLException ex) {
ex.printStackTrace();
}
}
The next example demonstrates a PreparedStatement object that inserts a record 
into the database. Assume that the recipe number, title, and description are passed to 
this code as variables. The ID column is declared NOT NULL and AUTO-INCREMENT, so 
it is also possible to assign NULL to the column to generate sequence numbers.
private static void insertRecord(String recipeNumber,
String title,
String description) {
String sql = "INSERT INTO RECIPES VALUES(" +
"null, ?,?,?)";
try(PreparedStatement pstmt = conn.prepareStatement(sql);) {
pstmt.setString(1, recipeNumber);
pstmt.setString(2, title);
pstmt.setString(3, description);
pstmt.executeUpdate();
System.out.println("Record successfully inserted.");
Chapter 12 Working With Databases


450
} catch (SQLException ex){
ex.printStackTrace();
}
}
In this last example, a PreparedStatement object deletes a record from the database. 
Again, assume that the recipeNumber string is passed to this code as a variable.
private static void deleteRecord(String recipeNumber) {
String sql = "DELETE FROM RECIPES WHERE " +
"RECIPE_NUMBER = ?";
try(PreparedStatement pstmt = conn.prepareStatement(sql);) {
pstmt.setString(1, recipeNumber);
pstmt.executeUpdate();
System.out.println("Recipe " + recipeNumber + " successfully 
deleted.");
} catch (SQLException ex){
ex.printStackTrace();
}
}
The main method is:
public static void main(String[] args) {
try {
CreateConnection createConn = new CreateConnection();
conn = createConn.getConnection();
String[] recipeArr = new String[1];
recipeArr[0] ="12-1";
queryDbRecipe(recipeArr);
insertRecord(
"12-6",
"Simplifying and Adding Security with Prepared 
Statements",
"Working with Prepared Statements");
recipeArr[0] ="12-6";
queryDbRecipe(recipeArr);
deleteRecord("12-6");
Chapter 12 Working With Databases


451
} catch (java.sql.SQLException ex) {
System.out.println(ex);
} finally {
if (conn != null) {
try {
conn.close();
} catch (SQLException ex) {
ex.printStackTrace();
}
}
}
}
The following is the output.
12-1: Installing MySQL - Downloading and installation of a MySQL Database
Record successfully inserted.
12-6: Simplifying and Adding Security with Prepared Statements - Working 
with Prepared Statements
Recipe 12-6 successfully deleted.
As you can see, a PreparedStatement object is very much the same as a standard 
JDBC statement object, but instead, it sends precompiled SQL to the DBMS rather than 
strings of text.

Download 3.2 Mb.

Do'stlaringiz bilan baham:
1   ...   225   226   227   228   229   230   231   232   ...   245




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling