How to make Servlet calls from JSP more secure?

Question

I have a JSP page with few comboboxes, a grid and a button for refreshing grid. Whenever the user presses the refresh button, the JSP page calls servlet, performs queries and refreshes the grid with newly retrieved data based on the values in comboboxes.

So in Javascript, this is more or less what I'm doing:

<script>
    function getSRCHGTData() {
        $.get('api/ServletTest', function(data) {
            alert(data);
        });

        var comboBox = $("#cb_cus_cd").data("kendoComboBox");

        var grid = $("#grid_SRCHGT").data("kendoGrid");
        grid.dataSource.transport.options.read.url = "api/srchgt_read?cus_cd=" + comboBox.value();

        grid.dataSource.read();
        grid.refresh();
    }
</script> 

It doesn't seem secure at all for me to pass the parameters like that, as one could easily look at the url of the servlet and perform SQL injection.

How can I make the call more secure?

Edit: An elaboration: The servlet already does it's share of validating the input before querying the database (Sanitizing input, preparing statement etc). What I'm more worried about is I'm exposing the parameters when calling the servlet via URL (For instance, they can take a look at the cus_cd parameter from below)

Answer 1

Simply telling Do-Not-Rely and Trust-on-Client-Side-Validation.

Its always better to pass all servlets through filters and checking proper authentication is there or not.

Answer 2

You shouldn't try to make the calls more secure, since the user can always sniff on them, and a determined attacker can probably break through obfuscation. You need to make sure the service itself is secure. (I.e. has proper authentication, authorization, and sanitizes input appropriately.)

Answer 3

SQL Injection should not be a concern here. That can be avoided on database layer. I mean you can make use of PreparedStatement in order to avoid the SQL Injection attacks.

Have a look here, Preventing SQL Injection in Java.