CODEWITHSUNDEEP
javasqlswingjtabletablemodel
Paul
Paul

Reputation: 169

Allowing column name to be specified makes it a potential SQL injection risk

I have these two methods where I was told that "the fact you allow the column name to be specified is (an SQL) injection risk". What does even mean? To be specified by whom? And how can I fix it? 

public void tableChanged(TableModelEvent e) {
    int row = e.getFirstRow();
    int col = e.getColumn();
    model = (MyTableModel) e.getSource();
    String stulpPav = model.getColumnName(col);
    Object data = model.getValueAt(row, col);
    Object studId = model.getValueAt(row, 0);
    System.out.println("tableChanded works");
    try {
        new ImportData(stulpPav, data, studId);
        bottomLabel.setText(textForLabel());
    } catch (ClassNotFoundException e1) {
        e1.printStackTrace();
    } catch (SQLException e1) {
        e1.printStackTrace();
    }
}

public class ImportData {    

    public ImportData(String a, Object b, Object c)
            throws ClassNotFoundException, SQLException {
        PreparedStatement prepStmt = null;
        try {
            connection = TableWithBottomLine.getConnection();
            String stulpPav = a;
            String duom = b.toString();
            String studId = c.toString();
            System.out.println(duom);

            String updateString = "update finance.fin " + "set ? = ? " + "where ID = ? "+ ";";
            prepStmt = connection.prepareStatement(updateString);
            prepStmt.setString(1, stulpPav);
            prepStmt.setString(2, duom);
            prepStmt.setString(3, studId);              

        } catch (SQLException e) {
            e.printStackTrace();
        } finally {
            if (prepStmt != null)
                prepStmt.close();
            System.out.println("Data was imported to database");
        }  
    }   
}

Upvotes: 1

Views: 51

Answers (1)

Peter Lawrey
Peter Lawrey

Reputation: 533492

What does even mean? :)

It means, that if the String was changed, you could put in SQL code to do something different, like updating a password, or garnting access to the systems.

To be specified by whom?

Any code which can access the column name, this is only a problem if the user has access to this field.

And how can I fix it?

Check that there really is no way for the user to specify this column name, and ignore the message

Upvotes: 1

Related Questions