How do I enable single quotation in the database?

Asked 1 years ago, Updated 1 years ago, 40 views

I'm a super beginner.If there is a single quotation in the database, an error will appear.How can I enable single quotation?

java mysql

2022-09-30 14:07

1 Answers

sql="SELECT* FROM tbl WHERE name='+param+"";

With these codes, if the param contains a string containing a single quotation, for example, 123'456, the generated SQL is 

SELECT* FROM tbble WHERE name='123'456'

This results in a syntax error.The same goes for using format instead of string concatenation

.

Syntax errors are fine, but param is 'OR1 with unintended results.This is the so-called SQL injection vulnerability.

To prevent this,

- Use binding mechanism using placeholder
- Escape SQL to the correct form as a string literal when assembling it

One of the is required.

Also, there are other things to be careful about when using RDBMS from the program, so first read the IPA How to Create a Secure Website (https://www.ipa.go.jp/security/vuln/websecurity.html), "How to Call Secure SQL."

2022-09-30 14:07

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

541 Understanding How to Configure Google API Key

543 PHP ssh2_scp_send fails to send files as intended

518 The method of the class of the application that I am creating in Typescript does not work as I expected.

539 Unable to install versioned in Google Colab

541 rails db:create error: Could not find mysql2-0.5.4 in any of the sources

© 2024 OneMinuteCode. All rights reserved.