DKG
Reputation: 387
Avoiding SQL injection while constructing SELECT
I want to avoid SQL Injections. I am posting the question by simplifying the problem I am working at.
The client wants to view a set of columns from a table. It passes the table name and a list of columns. The client is aware of the table name and the all possible list of columns through a secured API.
On the server, I am constructing a SELECT query using the table name and list of columns passed.
I cannot use a view.
To avoid SQL injection, this is what I am planning to do.
- Check if the columns passed are part of the all possible list of columns.
- Check if column contains any characters like =, -, + to avoid any security issues.
Am I missing anything here?
Upvotes: 1
Views: 179
Answers (1)
Erwin Smout
Reputation: 18408
Query the catalog to check that the entered table name really exists in the database. (And likewise for checking that the entered column names really are columns of the named table.)
Upvotes: 4
Related Questions
- Avoiding SQL injection in java
- How can I modify the code to avoid SQL-injection attack?
- How to build query in Java to prevent SQL injection using prepared statement
- JAVA - Possible SQL Injection
- Prevent this statement from SQL injection
- How to protect yourself against SQL Injection in dynamic queries?
- Java: User provides the where-clause: how to prevent SQL injection?
- How do I sanitize SQL without using prepared statements
- How to escape user-supplied parameters with a SQL query?
- Avoiding SQL Injection