How do I enable single quotation in the database?

Asked 2 months ago, Updated 2 months ago, 2 views

I'm a super beginner.If there is a single quotation in the database, an error will appear.How can I enable single quotation?

java mysql

2022-09-30 14:07

1 Answers

sql="SELECT* FROM tbl WHERE name='+param+"";

With these codes, if the param contains a string containing a single quotation, for example, 123'456, the generated SQL is

SELECT* FROM tbble WHERE name='123'456'

This results in a syntax error.The same goes for using format instead of string concatenation

.

Syntax errors are fine, but param is 'OR1 with unintended results.This is the so-called SQL injection vulnerability.

To prevent this,

- Use binding mechanism using placeholder
- Escape SQL to the correct form as a string literal when assembling it

One of the is required.

Also, there are other things to be careful about when using RDBMS from the program, so first read the IPA How to Create a Secure Website (https://www.ipa.go.jp/security/vuln/websecurity.html), "How to Call Secure SQL."


2022-09-30 14:07

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.