Does using preparedStatement mean there will not be any SQL Injection?

As long as you're actually using the parameter substitution feature of the prepared statement (it's possible to misuse them and not use that feature), and provided there isn't a bug in the prepared statement library you're using, then you should be fine against raw SQL injection. That doesn't mean you shouldn't treat whatever the user gives you with suspicion, though. :-).

Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks. String strUserName = request.

GetParameter("Txt_UserName"); PreparedStatement prepStmt = con. PrepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'"); prepared statement can be vulnerable to SQL injection if it is not done properly.

I will not treat this as preparedStatement even if it says con. PreparedStatement. – Rakesh Juyal Sep 20 '10 at 11:35 1 @Rakesh: Yeah, but you'd be surprised... :-) – T.J.Crowder Sep 20 '10 at 11:52.

Prepared statements do not cover non-data parts of the query - identifiers and operators. Thus, if some of them are variable and being added to the query directly, injection is possible. Thanks to limited number of possible options, all variable identifiers should be chosen from pre-written variants based on user input.

Same for operators. No user input should be added to the query directly.

Using the prepared statement feature of the language provided means you are using a tried and tested solution for the problem - it doesn't mean that there are never any bugs or scope for SQL Injection possibilities, but what it does mean is that you are not the only person using the implementation. The more people using the same implementation for something means the more chances for bugs to be found and eliminated - if you use your own implementation then only you can find and fix the bugs.

The entire point about using a framework is that its widely used - more chances for issues to be found and fixed, more chance that the code you are consuming via the framework is proven. Your own code can only ever be proven by yourself, and thus you are at a disadvantage when compared to other implementations. So whats wrong with my stance?

– Moo Sep 20 '10 at 11:20.

Short answer: yes, if used properly. However, this does not mean that there can't be bugs in the JDBC driver, opening up for SQL injection. When I looked into this for a company I worked at, I found that there was indeed an SQL injection bug in one of the JDBC drivers we used (PostgreSQL).

This is some years ago, and the bug was fixed. Although I don't remember the specifics, I recall looking at the source code for a JDBC implementation, and seeing that it was implemented with string concatenation. I would expect this to be rare, though, and my advice would be to trust the implementation and use PreparedStatements properly.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.