i have use case in trying create whole sql based on user`s ip api.
eg: user hits api format /what/table/field/field_value?name=value1
public static result getrows(string what, string table, string field, string field_value, string more_where_clause) throws sqlexception { //more_where_clause have many condition clause string sql = string.format("select ? ? ?=?"); if (!where.equals("")) { sql += string.format(" , ?"); } resultset rs = targetdb.query(sql, what, table, field, field_value, more_where_clause); public <t extends comparable<t>>resultset query(string sql, t... args) throws sqlexception { resultset rs = null; try{ preparedstatement = conn.preparestatement(sql); for(int i=0; i<args.length; i++){ preparedstatement.setobject(i + 1, args[i]); } rs = preparedstatement.executequery(); } catch(sqlexception e) { e.printstacktrace(); } return rs; } but when query using :
/name/user_table/first_name/john?last_name=doe i sql string
select 'name' 'user_table' 'first_name'='john' , 'last_name=doe' preparedstatement.setobject(i + 1, args[i]); infers string.
what better way , avoid sql injection. edit : apart parameterizing clause part, other checks can do? how take care of more_where_clause user can enter more things condition.
you can't bind names (field, table, etc.), values.
based on security principles can define "white-list" regular expression check name conformity restriction (ie allowing [a-zaz0-9_-]+)
poorer solution define "black-list" on forbid double-quotes (") , escape sequences (if dealing multiple rdbms engine, can pain) , put names between double-quotes. aware of case-sentivity when using double-quotes.
you can check owasp librairies. know offer apis deal html, css, javascript & http injections. may define api deal generated sql.
ultimately can build/query database metadata , match object names against provided ones. in case can rely on value binding. in case don't forget use value returned metadata , enclosed them in double-quotes on generated sql.
Comments
Post a Comment