Make SQL-Generator resistant to SQL injections

stazz / java-sql-generator

A framework to generate syntactically correct SQL statements in a typesafe, easy, and uniform way (without StringBuilders).

49 stars 28 forks source link

Make SQL-Generator resistant to SQL injections #9

Open stazz opened 12 years ago

stazz commented 12 years ago

Make the strings produced by java-sql-generator take into account the possiblity for SQL injection.

stazz commented 12 years ago

Although, developers should be strongly adviced to use ? as a placeholder for variables, in conjunction to java.sql.PreparedStatement -objects. Hence this should be a low-priority issue.

stazz commented 11 years ago

Actually, this has more to do with situation where things like column names etc are taken from the user input. Therefore, all string parameters of all factory methods in SQL Generator should be sanitized.

eskatos commented 11 years ago

Couldn't theses be PreparedStatements parameters too?

stazz commented 11 years ago

Well yes, but I meant the cases when you get user input for eg. your column names in table definition. Can't use prepared statement parameters there, IIRC. I might be wrong, but there are cases where you can't use prepared statements or PS parameters.