> I agree that it probably is. Unfortunately, as I mentioned in my previous
> post,no one is going to be entering in SQL queries directly through our
> interface. We're not doing it and if someone is, he's up to no good. e.g.
>
> "update users set name='"+name+"'"
>
> If there's a text box in which you enter your name for the first query, I
> can some fun if I enter in
>
> Arsalan'';update funds set money = 100000 where userid =10
>
> Am I right? It's situations like these that I'm trying to prevent. Is there
> a better way?
If I'm not using prepared statements to tend to use something like:
String statement = "update users set name='" + encode(name) + "'";
Where encode is defined as:
/**
* Encode a string suitable for being placed in a query.
*/
final String encode(String dirtyString) {
StringBuffer cleanString = new StringBuffer("");
for (int i = 0; i < dirtyString.length(); i++) {
char c = dirtyString.charAt(i);
cleanString.append(c);
if (c == '\'') {
cleanString.append(c);
}
}
return cleanString.toString();
}
Hope this helps,
Michael Stephenson