How do I enable single quotation in the database?

Asked 2 years ago, Updated 2 years ago, 46 views

I'm a super beginner.If there is a single quotation in the database, an error will appear.How can I enable single quotation?

java mysql

2022-09-30 14:07

1 Answers

sql="SELECT* FROM tbl WHERE name='+param+"";

With these codes, if the param contains a string containing a single quotation, for example, 123'456, the generated SQL is 

SELECT* FROM tbble WHERE name='123'456'

This results in a syntax error.The same goes for using format instead of string concatenation

.

Syntax errors are fine, but param is 'OR1 with unintended results.This is the so-called SQL injection vulnerability.

To prevent this,

- Use binding mechanism using placeholder
- Escape SQL to the correct form as a string literal when assembling it

One of the is required.

Also, there are other things to be careful about when using RDBMS from the program, so first read the IPA How to Create a Secure Website (https://www.ipa.go.jp/security/vuln/websecurity.html), "How to Call Secure SQL."

2022-09-30 14:07

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

613 GDB gets version error when attempting to debug with the Presense SDK (IDE)

1022 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

582 PHP ssh2_scp_send fails to send files as intended

574 Who developed the "avformat-59.dll" that comes with FFmpeg?

590 Scrap text information after the "View More" button when searching in the Yahoo! News search window

© 2024 OneMinuteCode. All rights reserved.