A3 - Injection | SQL Injection Mitigation | Cycubix Docs
This lesson describes various mitigations mechanisms against SQL Injection.
These are the best defense against SQL injection. They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
SELECT * FROM products;
SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'";
String query = "SELECT * FROM users WHERE last_name = ?";
PreparedStatement statement = connection.prepareStatement(query);
statement.setString(1, accountName);
ResultSet results = statement.executeQuery();
Only if stored procedure does not generate dynamic SQL
Last modified 1yr ago