With these codes, if the
param contains a string containing a single quotation, for example,
123'456, the generated SQL is
This results in a syntax error.The same goes for using
format instead of string concatenation
Syntax errors are fine, but
'OR1 with unintended results.This is the so-called SQL injection vulnerability.
To prevent this,
- Use binding mechanism using placeholder
- Escape SQL to the correct form as a string literal when assembling it
One of the is required.
Also, there are other things to be careful about when using RDBMS from the program, so first read the IPA How to Create a Secure Website (https://www.ipa.go.jp/security/vuln/websecurity.html), "How to Call Secure SQL."
© 2022 OneMinuteCode. All rights reserved.