DEV Community

Cover image for SQL Injection in Java
Wagner Negrão 👨‍🔧
Wagner Negrão 👨‍🔧

Posted on

SQL Injection in Java

Hello, in this post I will speak about SQL injection, which is an old problem but still exists in applications vulnerable to this type of action.

Before of begin, about SQL injection we will see this scenery for example, and abstract.

Firstly, have a class Connection that has like responsibility make connections with the database and accomplish the persistence, this class has two variables, name and description of the product. Suppose that these fields are passed from frontend to backend. When having the information of name and description of the product is done the persistence in the database with see below.

public class Connection {
    public static void main(String[] args) throws SQLException {

        private String name;
        private String description;

        Connection conn = DriverManager.getConnection(connection, login, password);

        Statement stm = conn.createStatement();

        stm.execute("INSERT INTO PRODUCT (NAME, DESCRIPTION) VALUES ('"+ name + "', '"+ description +"')");

    }
}
Enter fullscreen mode Exit fullscreen mode

The way it is structured this code allows the insertion of data that provide errors, when having persisted in the database, and also problems of security. When infringing the security of the database the problem of SQL injection, that is insertion of SQL malicious in the search on the database, this commands malicious can be released by forms, request HTTP without validation of the field.

The mode with this class is implemented it works perfectly. however, can occur errors in that the user can pass characters more like String name = "laptop", when done this and generate the execution of SQL we’ll have an exception. This example is well simple, but imagine the case where a user malicious fulfill the following action String description = "laptop dell"); DELETE FROM PRODUCTS; at that moment we will have all ours databases erased, this is only an example of several cases that can happen.

How do if avoid this type of problem? Well, we’ll have treated the input fields before of have added.

public class Connection {
    public static void main(String[] args) throws SQLException {

        String name;
        String description;

        Connection conn = DriverManager.getConnection(connection, login, password);

        PreparedStatement stm =
                conn.prepareStatement("INSERT INTO PRODUCT (NAME, DESCRIPTION) VALUES (?, ?)", Statement.RETURN_GENERATED_KEYS);

        stm.setString(1, name);
        stm.setString(2, description);
        stm.execute();

    }
}
Enter fullscreen mode Exit fullscreen mode

Now, have that are preparing a statement for posteriorly insert of data of variable, when using the set String to receive the variable and convert all data in string od database, then we’ll have something more or less like laptop); DELETE FROM PRODUCT’, not are concatenated the string but insert string SQL, this way avoiding this problem. Understand that is an example, certainly can have evaluators like regex, this way final have a safer application, not possessing vulnerabilities of SQL injection. Exist another form of resolve this problem but I think this form is more simple of understanding.

Discussion (0)