> I agree that it probably is. Unfortunately, as I mentioned in my previous
> post,no one is going to be entering in SQL queries directly through our
> interface. We're not doing it and if someone is, he's up to no good. e.g.
> "update users set name='"+name+"'"
> If there's a text box in which you enter your name for the first query, I
> can some fun if I enter in
> Arsalan'';update funds set money = 100000 where userid =10
> Am I right? It's situations like these that I'm trying to prevent. Is there
> a better way?

If I'm not using prepared statements to tend to use something like:

String statement = "update users set name='" + encode(name) + "'";

Where encode is defined as:

 * Encode a string suitable for being placed in a query.
final String encode(String dirtyString) {
    StringBuffer cleanString = new StringBuffer("");
    for (int i = 0; i < dirtyString.length(); i++) {
        char c = dirtyString.charAt(i);
        if (c == '\'') {
    return cleanString.toString();

Hope this helps,

Michael Stephenson

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster

Reply via email to