SQL Injection vulnerabilities have been on the OWASP Top 10 list since its beginning. They may appear in all languages including the Web’s two most popular languages: PHP and Java. SQL Injection vulnerabilities pose a serious threat to sensitive data and web application security in general. Attackers may use malicious code to get full control of the system.
To prevent SQL Injection attacks in Java, you must treat user input passed to the SQL queries as untrusted and avoid dynamic SQL queries created using simple string concatenation. If possible, you should validate input against a whitelist and use parametrized queries also known as prepared statements in Java JDBC. To show you how to do this, we will use a simple example where the web application displays information on fish.
Step 1: Validate input
If possible, validate the data supplied by the user against a whitelist. For example, in the example application, the fish species ID is an integer. After you obtain the fish species ID from the
GET request, you can use the following to convert the parameter value to an integer:
Step 2: Prepare a query
Create your query using regular SQL commands. In the query, use question marks as placeholders to denote where you are using user-supplied data. For example:
Step 3: Create the prepared statement
Create the prepared SQL statement:
Note: Do not use
Step 4: Pass the parameters to the prepared statement
Bind your parameters to the query. For example, to bind the value of the fish species ID, use:
The 1 stands for first parameter. You can use
setDouble methods as well, depending on the parameter type.
Step 5: Execute your query
After you pass the parameters, you may execute your query. For example:
Step 6: Validate your application
To make sure that your application is secure, use Acunetix and run a website vulnerability scan for your website.
You can also create prepared statements in JPA using
setParameter methods. Prepared statements are the easiest method to protect your Java application against SQL Injection attacks but they are not the only one. Other methods include, for example, using stored procedures (supported by some databases). You may also use additional protection methods such as the least privilege rule (running database queries using users with very limited privileges).