[JAVA] SQL Injection Preventive Code Example
Wring ex ) sql.append("SELECT \n"); sql.append(" COUNT(*) CNT \n"); sql.append("FROM TABLE WHERE 1=1 AND COL " + type + " AND COL2 = '1' \n"); pstmt = conn.prepareStatement(sql); Rigth ex ) sql.append("SELECT \n"); sql.append(" COUNT(*) CNT \n"); sql.append("FROM TABLE WHERE 1=1 AND COL ? AND COL2 = '1' \n"); pstmt = conn.prepareStatement(sql); pstmt.setString(1, type); You must not use variables in conditional clauses use like this -> pstmt.setString(1, type); this is same condition like when we use jdbcTemplate đ Thank you !! ęł ë§ě !!