How to prevent SQL injection in PHP?

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

You've got two options - escaping the special characters in your unsafe_variable, or using a parameterized query. Both would protect you from SQL injection. The parameterized query is considered the better practice, but escaping characters in your variable will require fewer changes.

Just use PreparedStatement instead of Statement I.e. Use String sql = "INSERT INTO tbl (col1, col2, col3) VALUES (?,? ,?)"; preparedStatement = connection.

PrepareStatement(sql); preparedStatement. SetString(1, col1); preparedStatement. SetString(2, col2); preparedStatement.

SetString(3, col3); preparedStatement.executeUpdate() instead of String sql = "INSERT INTO tbl (col1, col2, col3) VALUES ('" + col1 + "', '" + col2 + "', '" + col3 + "')"; statement = connection.createStatement(); statement. ExecuteUpdate(sql) The PreparedStatement also offers convenient setter methods for other types, such as setInt() setDate() setBinaryStream() etcetera Please note that this issue is unrelated to JSP.It's related to Java in general. Writing raw Java code in a JSP class is also considered a poor practice Best practice is to create a standalone class which does all the DB interaction tasks on a particular table, which is also called a DAO (Data Access Object) class.

You can then import/use this DAO class in a servlet class See also: Java Tutorials - JDBC Tutorial - PreparedStatement Difference between Statement and PreparedStatement how to send a ResultSet object in jsp back to html (javascript)?

Just use PreparedStatement instead of Statement. I.e. Use String sql = "INSERT INTO tbl (col1, col2, col3) VALUES (?,?

,? )"; preparedStatement = connection. PrepareStatement(sql); preparedStatement.

SetString(1, col1); preparedStatement. SetString(2, col2); preparedStatement. SetString(3, col3); preparedStatement.executeUpdate(); instead of String sql = "INSERT INTO tbl (col1, col2, col3) VALUES ('" + col1 + "', '" + col2 + "', '" + col3 + "')"; statement = connection.createStatement(); statement.

ExecuteUpdate(sql); The PreparedStatement also offers convenient setter methods for other types, such as setInt(), setDate(), setBinaryStream(), etcetera. Please note that this issue is unrelated to JSP. It's related to Java in general.

Writing raw Java code in a JSP class is also considered a poor practice. Best practice is to create a standalone class which does all the DB interaction tasks on a particular table, which is also called a DAO (Data Access Object) class. You can then import/use this DAO class in a servlet class.

See also: Java Tutorials - JDBC Tutorial - PreparedStatement Difference between Statement and PreparedStatement how to send a ResultSet object in jsp back to html (javascript)?

Wow, here is a comment that spreads a ton of information, your comment was very helpful to me, you made it simple, I thank you and it's solved because of you! – dany90 Jun 8 at 0:03 You're welcome. By the way, it was an answer, not a comment.

Those tiny things which you see below questions/answers are comments :) – BalusC Jun 8 at 0:17 1 +1 for the "Java code in JSP is a bad practice" comment. It seems like such a great idea when you're getting going with JSPs, but oh the pain when you return later to rip out all that non-view related logic. – Marvo Jun 8 at 0:17.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.