Is SQL Injection Possible even on Prepared Statement [Java][Mysql] -
i read many articles on stackoverflow regarding how sql injection can prevented using prepared statements
but there way sql injection on prepared statements or 100% safe
below java code
string query = "select * users username=? , password=?"; ps=con.preparestatement(query); ps.setstring(1,username); ps.setstring(2,password); rs = ps.executequery(); status = rs.next(); if(status==true){ ..... }else{ .... } i tried sql injection queries
some inputs: select * users username = 'xxx@xxx.xxx' or 1 = 1 limit 1 -- ' ] , password = md5('1234'); select * users email = 'xxx@xxx.xxx' , password = md5('xxx') or 1 = 1 -- ]'); i have tried more queries (single quote)' escaped(/') none of sql injection queries seem work.
kindly suggest me if there sql injection queries/techniques can applied sql injection in above code
any appreciated
this query : string query = "select * users username=? , password=?"; safe, because whatever parameters can be, still executed simple select. @ most, end browsing whole table.
but prepared statement tool , (bad) programmers may still misuse it.
let's @ following query
string query = "select id, " + paramname + " users username=? , password=?"; where paramname parameter name. safe paramname is, because use directly variable build string parsed database engine. here preparedstatement cannot because jdbc not allow parameterize column name.
so rule here :
- avoid such construct if can !
- if need it, double check (regexes, list of allowed strings, etc.)
paramnamecannot other expect because that control prevention against sql injection
Comments
Post a Comment