Home/ Questions/Q 4013968
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T09:26:16+00:00

UPDATE `company` SET `itnumber` = ‘595959’ WHERE (id = 932) So the value of

  • 0
UPDATE `company` SET `itnumber` = '595959' WHERE (id = 932)

So the value of itnumber is coming from user input for that company. I want to make sure I am able to prevent any kind of sql injection. So user inputs 595959 and I build that value as ‘595959’ in the dynamic query. Is it still possible to have sql injection attack in this query? I am aware of using prepare statement to use to prevent sql injection, but prepare statement might take a lot of development efforts for my application, so I am looking for less time consuming and easier approach to fix most of my sql statements where injection is possible.

StringBuffer sb = new StringBuffer();
sb.append(" UPDATE ");
sb.append(DB.quote(table));
sb.append(" SET ");
/* logic if column value has changed */
/* if yes */
sb.append(DB.quote(column.name));
sb.append(" = ");
sb.append(column.getSQLvalue());
sb.append(" WHERE (id = ");
sb.append(columns[0].getSQLvalue());
sb.append(")");
execute(sb.toString());
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are simply concatenating the input into a SQL string without doing any cleanups (and simply surrounding it with single quotes ' doesn not make it clean), then yes, it is vulnerable to SQL injection.

    Please post the code that constructs this SQL for a definitive answer.

    Update:

    Since you are using getSQLvalue() from the Oracle SQL library, this would ensure that the value passed in is escaped correctly. This is indeed safe from SQL injection, however it requires you to remember to use it in every place. Using parameters would ensure the same, however, without the risk of forgetting to escape your SQL values.

    • 0