I am using MySQL as back end and Spring as Frame work I know that spring does not support injection, does that mean that the database is secure and i don't have to handle injection in MySQL?
Asked
Active
Viewed 167 times
0
-
do you mean SQL Injection? Spring support Injection though bean Injection? – Alpesh Gediya May 11 '13 at 16:25
-
yes SQL injection. ok if spring supports injection ,does mysql support injection also? if yes, can i handle injection from mysql database or that should be done through spring? – Dalia William May 11 '13 at 16:40
-
possible duplicate of [Spring (MVC) SQL injection avoidance?](http://stackoverflow.com/questions/8472608/spring-mvc-sql-injection-avoidance) – tadman May 11 '13 at 17:40
1 Answers
0
SQL injection is something that you definitely want to avoid. It's not something that a database or framework supports. It's an attack. Something that you want to avoid. And it won't be solved by any framework.
You have to understand what SQL injection attacks are and when they can happen, and adopt good practices of coding to avoid them: always use prepared statements and never create SQL queries dynamically by appending values coming from untrusted sources.
In short, instead of doing
String sql = "select a, b from some_table where d = '" + valueEnteredByUser + "'";
do the following:
String sql = "select a, b from some_table where d = ?"
and then create a prepared statement and bind valueEnteredByUser to the query parameter.
It's as simple as that.
JB Nizet
- 678,734
- 91
- 1,224
- 1,255