[JAVA] SQL Injection Preventive Code Example
Wring ex )
sql.append("SELECT \n");
sql.append(" COUNT(*) CNT \n");
sql.append("FROM TABLE WHERE 1=1 AND COL " + type + " AND COL2 = '1' \n");
pstmt = conn.prepareStatement(sql);
Rigth ex )
sql.append("SELECT \n");
sql.append(" COUNT(*) CNT \n");
sql.append("FROM TABLE WHERE 1=1 AND COL ? AND COL2 = '1' \n");
pstmt = conn.prepareStatement(sql);
pstmt.setString(1, type);
You must not use variables in conditional clauses
use like this -> pstmt.setString(1, type);
this is same condition like when we use jdbcTemplate
😀
Thank you !!
고마워 !!
Comments
Post a Comment