Search
 
SCRIPT & CODE EXAMPLE
 
CODE EXAMPLE FOR SQL

A bad way of running a SQL query in JDBC


// The user we want to find.
String email = "user@email.com";

// Connect to the database.
Connection conn = DriverManager.getConnection(URL, USER, PASS);
Statement stmt = conn.createStatement();

// Bad, bad news! Don't construct the query with string concatenation.
String sql = "SELECT * FROM users WHERE email = '" + email + "'";

// I have a bad feeling about this...
ResultSet results = stmt.executeQuery(sql);

while (results.next()) {
  // ...oh look, we got hacked.
}

Source by www.hacksplaining.com #
 
PREVIOUS NEXT
Tagged: #A #bad #running #SQL #query #JDBC
ADD COMMENT
Topic
Name
4+9 =