Reputation: 7785
What rules does SQL escaping follow?
I just read this question when I wondered how complex I should build my queries.
Until now, I just built a String using StringBuilder, because in this application only select, update, insert and delete are used. Now I was also wondering about correct escaping, when I asked myself, why escaping is not just escaping those signs ' to this \'.
Is there a more complex behaviour behind escaping or would this be complete?
Thanks for input!
Upvotes: 1
Views: 291
Answers (1)
Reputation: 56429
String built SQL is a bad idea, as it makes you prone to SQL Injection attacks.
If you can put your queries into Stored Procedures and parameterize your input values.
For information on SQL Injection attacks and how to prevent them, see the Open Web Application Security Project site:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Upvotes: 2
Related Questions
- Java - escape string to prevent SQL injection
- Can this simple String escaping prevent any SQL Injections?
- How to escape special characters used in SQL query?
- How to safely escape arbitrary strings for SQL in PostgreSQL using Java
- quick and dirty SQL string escaping
- Escaping SQL Strings in Java
- Java SQL Escape without using setString
- Escaping Strings for MySQL in Java
- Escaping single quotes in table SQL queries
- How to "escape" a whole String - an SQL query