0

I have the below select for update query -

String test = "SELECT * FROM " + table_ + " WHERE " " FOR UPDATE ";
PreparedStatement pst = con.prepareStatement(test);

How do I avoid SQL injection in this case? I know using a parameterized query helps, but looking at my query, I have no idea how to parameterize it :( Any suggestions/examples for a select for update query to avoid SQL injection?

Hitesh
  • 3,449
  • 8
  • 39
  • 57
rickygrimes
  • 2,637
  • 9
  • 46
  • 69
  • Read through this similar thread: http://stackoverflow.com/questions/3451269/parameterized-oracle-sql-query-in-java – gr3co Mar 11 '14 at 07:46
  • It is not a select from update example. – rickygrimes Mar 11 '14 at 07:48
  • Where does table_ come from. There is no parameter at all in this (invalid) query. A select for update is used and parameterized exactly the same way as any other select query. Where is the problem? – JB Nizet Mar 11 '14 at 07:56

2 Answers2

0

For JAVA try this:

String test = "SELECT * FROM " + table_ + " WHERE x=? AND y=? FOR UPDATE ";
PreparedStatement pst = con.prepareStatement(test);

pst.setInt(1,xvalue);
pst.setString(2,"yvalue");

pst.executeUpdate();
mike_x_
  • 1,900
  • 3
  • 35
  • 69
0

You would only have an SQL injection vulnerability if user input can alter the table_ variable. In that case, I would consider the possibility of redesigning your data schema to better fit the problem, or at least ensure that the table name is one of a predefined set of valid table names before executing the query.

More context about the purpose of the query would be required to give a full solution and explanation.

Elle
  • 3,695
  • 1
  • 17
  • 31