I am using JSP for a while. I have this select statement:

query = "SELECT * FROM USER_PASS WHERE USERNAME = '" + name + "'";

Which is vulnerable to SQL injections. I searched few articles and found that I can use prepared statements to avoid SQL injections. I find it more confusing. My opinion is if I can find inputs such as ;, ' or -- in the input given by user then I can show them an alert message saying you can't use these symbols here and I will not process the data. This could be my JavaScript code:

function validateSQL()
{
var x=document.forms["myForm"]["username"].value;
var pos = 0;
pos=x.indexOf("'");
if (pos!=0)
  {
  alert("Trying to hack me?");
  return false;
  }
}

Which is better to use? Does this have any demerits?

I am using JSP for a while. I have this select statement:

query = "SELECT * FROM USER_PASS WHERE USERNAME = '" + name + "'";

Which is vulnerable to SQL injections. I searched few articles and found that I can use prepared statements to avoid SQL injections. I find it more confusing. My opinion is if I can find inputs such as ;, ' or -- in the input given by user then I can show them an alert message saying you can't use these symbols here and I will not process the data. This could be my JavaScript code:

function validateSQL()
{
var x=document.forms["myForm"]["username"].value;
var pos = 0;
pos=x.indexOf("'");
if (pos!=0)
  {
  alert("Trying to hack me?");
  return false;
  }
}

Which is better to use? Does this have any demerits?

• javascript
• jsp
• sql-injection

Share Improve this question Follow asked Feb 23, 2013 at 6:15 Kunu MunuKunu Munu 1311 silver badge44 bronze badges 4

• 10 Who says that the attacker is going to use your frontend? Automated SQL injection tools just send HTTP requests. – Blender Commented Feb 23, 2013 at 6:16
• @Blender:If I am writing an preparedstatement instead of this javascript code then will it prevent injections? – Kunu Munu Commented Feb 23, 2013 at 6:18
• 2 I would +10 Blender's ment if I could - do not trust the client. Prepared statements on the server will prevent all SQL injection attacks (but not necessarily other surfaces). Not: Preventing bad information is outside the scope of SQL injection attacks. – user166390 Commented Feb 23, 2013 at 6:18
• @Blender: So shall I delete the question? I got the answer I was looking for. From your ment – Kunu Munu Commented Feb 23, 2013 at 6:20

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 6

You absolutely cannot depend on JavaScript on the Client to protect you; malicious users can easily circumvent any client side checks .. you can simply disable JavaScript at any time in your browser.

Just because something is confusing doesn't mean that you shouldn't do it; parameterized queries are not confusing, so you should practice and learn until you understand. ; , -- are not even close to the only symbols that could cause SQL Injection.

I'm not familiar with JSP, the method for preparing queries seems simple enough.

String myquery = "SELECT * FROM USER_PASS WHERE USERNAME = ?";
PreparedStatement mystatement = connection.prepareStatement(myquery);
mystatement.setString(1, name);
ResultSet myresults = mystatement.execute();