SQL injection for Dynamic where conditions in prepared statement





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















I my application we are collecting some user inputs from UI and based on those values we are generating dynamic SQLs with different 'Where' conditions to query data. It is found that that piece of code has some SQL injection flaw.



I am not able to re arrange this code to prevent that flaq. Any suggestion will be helpfull.



My Application takes four input parameters ,




  1. Serial number -This can be, one or none, or two values
    2.Created date -This can be, one or none, or two values

  2. ReportTypeNumbers- This can be, one or none, or more than two

  3. reportTitleNames-This can be, one or none, or more than two


based on these input values, I am constructing Dynamic 'Where' conditions for prepared statement. This SQL has issues. Please help me to rewrite it to fix SQL injection flaw.



Here is the Method which constructs Dynamic SQL.



public void filter(String strSerialNumberLogic, String strSerialNumber1,

        String strSerialNumber2, String strCreationDateLogic,

        long lngCreationDate1, long lngCreationDate2,

        String strTypeNumbers, String strTitles, long lngLoc)

        throws SQLException, ClassNotFoundException {



    StringBuffer strWhere = new StringBuffer();

    List paramList = new ArrayList();

    String arrTypeNumbers;

    String arrTitles;

    int i;

    boolean bolHit;



    if (!strTypeNumbers.equals("") || !strTitles.equals("")) {

        arrTypeNumbers = strTypeNumbers.split(",");

        arrTitles = strTitles.split(",");



        bolHit = false;

        strWhere.append("(");



        for (i = 0; i < arrTypeNumbers.length; i++) {

            if (arrTypeNumbers[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NUMBER = ?");

                paramList.add(arrTypeNumbers[i]);

            }

        }



        for (i = 0; i < arrTitles.length; i++) {

            if (arrTitles[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NAME = ?");

                paramList.add(arrTitles[i]);

            }

        }



        strWhere.append(") ");

    }



    if (!strSerialNumber1.equals("")) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_NO " + strSerialNumberLogic + " ? ");

        paramList.add(strSerialNumber1);



        if (strSerialNumberLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(strSerialNumber2);

        }

    }



    if (lngCreationDate1 != 0) {





        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }



        strWhere.append(" REPORT_CREATION_DATE " + strCreationDateLogic + " ? ");

        paramList.add(Long.toString(lngCreationDate1));



        if (strCreationDateLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(Long.toString(lngCreationDate2));

        }

    }



    if (lngLoc != 0) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_LOCATION = ? ");

        paramList.add(Long.toString(lngLoc));

    }

    String finalQuery = "";

    if (!strWhere.equals("")) {

        finalQuery = "WHERE " + strWhere.toString();

    }



    String strSQL = "SELECT * " + "FROM D990800 "

            + "LEFT JOIN D990400 ON REPORT_SYSTEM_ID ||" + " REPORT_NO = REPORT_NUMBER " + finalQuery

            + "ORDER BY REPORT_FILE_NO ASC";





    System.out.println("strSQL:" + strSQL );

    System.out.println("paramList:" + paramList );



    Connection conn = ConnectionFactory.instance().getConnection();

    PreparedStatement preparedStatement = null;

    preparedStatement = conn.prepareStatement(strSQL);



    for (int index = 0; index < paramList.size(); index++) {

        String param = (String) paramList.get(index);



        if (isParsableInt(param)) {

            preparedStatement.setInt(index+1, Integer.parseInt(param));

        } else {

            preparedStatement.setString(index+1, param);

        }

    }



    ResultSet rsReports = preparedStatement.executeQuery();



    buildCollection(rsReports);

    rsReports.close();

    preparedStatement.close();

    conn.close();

}





java jdbc prepared-statement sql-injection dynamic-sql







share|improve this question

























  • Try using CriteriaBuilder - samples at objectdb.com/java/jpa/query/criteria

    – Scary Wombat
    Nov 27 '18 at 1:34











  • what are Criteria Builders?.Please give some pointers

    – rz nihar
    Nov 27 '18 at 2:31











  • did you look at the link

    – Scary Wombat
    Nov 27 '18 at 2:37











  • What makes you think you are at risk of SQL injections? You are using PreparedStatement and bounded parameters, you should be safe.

    – frenchoverflow
    Nov 27 '18 at 4:36











  • But when the veeracode scan runs(veera code is a tool which scans application code for flaws), it is showing that this peice of code has sql injection flaw.

    – rz nihar
    Nov 27 '18 at 10:34


















1















I my application we are collecting some user inputs from UI and based on those values we are generating dynamic SQLs with different 'Where' conditions to query data. It is found that that piece of code has some SQL injection flaw.



I am not able to re arrange this code to prevent that flaq. Any suggestion will be helpfull.



My Application takes four input parameters ,




  1. Serial number -This can be, one or none, or two values
    2.Created date -This can be, one or none, or two values

  2. ReportTypeNumbers- This can be, one or none, or more than two

  3. reportTitleNames-This can be, one or none, or more than two


based on these input values, I am constructing Dynamic 'Where' conditions for prepared statement. This SQL has issues. Please help me to rewrite it to fix SQL injection flaw.



Here is the Method which constructs Dynamic SQL.



public void filter(String strSerialNumberLogic, String strSerialNumber1,

        String strSerialNumber2, String strCreationDateLogic,

        long lngCreationDate1, long lngCreationDate2,

        String strTypeNumbers, String strTitles, long lngLoc)

        throws SQLException, ClassNotFoundException {



    StringBuffer strWhere = new StringBuffer();

    List paramList = new ArrayList();

    String arrTypeNumbers;

    String arrTitles;

    int i;

    boolean bolHit;



    if (!strTypeNumbers.equals("") || !strTitles.equals("")) {

        arrTypeNumbers = strTypeNumbers.split(",");

        arrTitles = strTitles.split(",");



        bolHit = false;

        strWhere.append("(");



        for (i = 0; i < arrTypeNumbers.length; i++) {

            if (arrTypeNumbers[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NUMBER = ?");

                paramList.add(arrTypeNumbers[i]);

            }

        }



        for (i = 0; i < arrTitles.length; i++) {

            if (arrTitles[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NAME = ?");

                paramList.add(arrTitles[i]);

            }

        }



        strWhere.append(") ");

    }



    if (!strSerialNumber1.equals("")) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_NO " + strSerialNumberLogic + " ? ");

        paramList.add(strSerialNumber1);



        if (strSerialNumberLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(strSerialNumber2);

        }

    }



    if (lngCreationDate1 != 0) {





        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }



        strWhere.append(" REPORT_CREATION_DATE " + strCreationDateLogic + " ? ");

        paramList.add(Long.toString(lngCreationDate1));



        if (strCreationDateLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(Long.toString(lngCreationDate2));

        }

    }



    if (lngLoc != 0) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_LOCATION = ? ");

        paramList.add(Long.toString(lngLoc));

    }

    String finalQuery = "";

    if (!strWhere.equals("")) {

        finalQuery = "WHERE " + strWhere.toString();

    }



    String strSQL = "SELECT * " + "FROM D990800 "

            + "LEFT JOIN D990400 ON REPORT_SYSTEM_ID ||" + " REPORT_NO = REPORT_NUMBER " + finalQuery

            + "ORDER BY REPORT_FILE_NO ASC";





    System.out.println("strSQL:" + strSQL );

    System.out.println("paramList:" + paramList );



    Connection conn = ConnectionFactory.instance().getConnection();

    PreparedStatement preparedStatement = null;

    preparedStatement = conn.prepareStatement(strSQL);



    for (int index = 0; index < paramList.size(); index++) {

        String param = (String) paramList.get(index);



        if (isParsableInt(param)) {

            preparedStatement.setInt(index+1, Integer.parseInt(param));

        } else {

            preparedStatement.setString(index+1, param);

        }

    }



    ResultSet rsReports = preparedStatement.executeQuery();



    buildCollection(rsReports);

    rsReports.close();

    preparedStatement.close();

    conn.close();

}





java jdbc prepared-statement sql-injection dynamic-sql







share|improve this question

























  • Try using CriteriaBuilder - samples at objectdb.com/java/jpa/query/criteria

    – Scary Wombat
    Nov 27 '18 at 1:34











  • what are Criteria Builders?.Please give some pointers

    – rz nihar
    Nov 27 '18 at 2:31











  • did you look at the link

    – Scary Wombat
    Nov 27 '18 at 2:37











  • What makes you think you are at risk of SQL injections? You are using PreparedStatement and bounded parameters, you should be safe.

    – frenchoverflow
    Nov 27 '18 at 4:36











  • But when the veeracode scan runs(veera code is a tool which scans application code for flaws), it is showing that this peice of code has sql injection flaw.

    – rz nihar
    Nov 27 '18 at 10:34














1












1








1








I my application we are collecting some user inputs from UI and based on those values we are generating dynamic SQLs with different 'Where' conditions to query data. It is found that that piece of code has some SQL injection flaw.



I am not able to re arrange this code to prevent that flaq. Any suggestion will be helpfull.



My Application takes four input parameters ,




  1. Serial number -This can be, one or none, or two values
    2.Created date -This can be, one or none, or two values

  2. ReportTypeNumbers- This can be, one or none, or more than two

  3. reportTitleNames-This can be, one or none, or more than two


based on these input values, I am constructing Dynamic 'Where' conditions for prepared statement. This SQL has issues. Please help me to rewrite it to fix SQL injection flaw.



Here is the Method which constructs Dynamic SQL.



public void filter(String strSerialNumberLogic, String strSerialNumber1,

        String strSerialNumber2, String strCreationDateLogic,

        long lngCreationDate1, long lngCreationDate2,

        String strTypeNumbers, String strTitles, long lngLoc)

        throws SQLException, ClassNotFoundException {



    StringBuffer strWhere = new StringBuffer();

    List paramList = new ArrayList();

    String arrTypeNumbers;

    String arrTitles;

    int i;

    boolean bolHit;



    if (!strTypeNumbers.equals("") || !strTitles.equals("")) {

        arrTypeNumbers = strTypeNumbers.split(",");

        arrTitles = strTitles.split(",");



        bolHit = false;

        strWhere.append("(");



        for (i = 0; i < arrTypeNumbers.length; i++) {

            if (arrTypeNumbers[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NUMBER = ?");

                paramList.add(arrTypeNumbers[i]);

            }

        }



        for (i = 0; i < arrTitles.length; i++) {

            if (arrTitles[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NAME = ?");

                paramList.add(arrTitles[i]);

            }

        }



        strWhere.append(") ");

    }



    if (!strSerialNumber1.equals("")) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_NO " + strSerialNumberLogic + " ? ");

        paramList.add(strSerialNumber1);



        if (strSerialNumberLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(strSerialNumber2);

        }

    }



    if (lngCreationDate1 != 0) {





        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }



        strWhere.append(" REPORT_CREATION_DATE " + strCreationDateLogic + " ? ");

        paramList.add(Long.toString(lngCreationDate1));



        if (strCreationDateLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(Long.toString(lngCreationDate2));

        }

    }



    if (lngLoc != 0) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_LOCATION = ? ");

        paramList.add(Long.toString(lngLoc));

    }

    String finalQuery = "";

    if (!strWhere.equals("")) {

        finalQuery = "WHERE " + strWhere.toString();

    }



    String strSQL = "SELECT * " + "FROM D990800 "

            + "LEFT JOIN D990400 ON REPORT_SYSTEM_ID ||" + " REPORT_NO = REPORT_NUMBER " + finalQuery

            + "ORDER BY REPORT_FILE_NO ASC";





    System.out.println("strSQL:" + strSQL );

    System.out.println("paramList:" + paramList );



    Connection conn = ConnectionFactory.instance().getConnection();

    PreparedStatement preparedStatement = null;

    preparedStatement = conn.prepareStatement(strSQL);



    for (int index = 0; index < paramList.size(); index++) {

        String param = (String) paramList.get(index);



        if (isParsableInt(param)) {

            preparedStatement.setInt(index+1, Integer.parseInt(param));

        } else {

            preparedStatement.setString(index+1, param);

        }

    }



    ResultSet rsReports = preparedStatement.executeQuery();



    buildCollection(rsReports);

    rsReports.close();

    preparedStatement.close();

    conn.close();

}





java jdbc prepared-statement sql-injection dynamic-sql







share|improve this question
















I my application we are collecting some user inputs from UI and based on those values we are generating dynamic SQLs with different 'Where' conditions to query data. It is found that that piece of code has some SQL injection flaw.



I am not able to re arrange this code to prevent that flaq. Any suggestion will be helpfull.



My Application takes four input parameters ,




  1. Serial number -This can be, one or none, or two values
    2.Created date -This can be, one or none, or two values

  2. ReportTypeNumbers- This can be, one or none, or more than two

  3. reportTitleNames-This can be, one or none, or more than two


based on these input values, I am constructing Dynamic 'Where' conditions for prepared statement. This SQL has issues. Please help me to rewrite it to fix SQL injection flaw.



Here is the Method which constructs Dynamic SQL.



public void filter(String strSerialNumberLogic, String strSerialNumber1,

        String strSerialNumber2, String strCreationDateLogic,

        long lngCreationDate1, long lngCreationDate2,

        String strTypeNumbers, String strTitles, long lngLoc)

        throws SQLException, ClassNotFoundException {



    StringBuffer strWhere = new StringBuffer();

    List paramList = new ArrayList();

    String arrTypeNumbers;

    String arrTitles;

    int i;

    boolean bolHit;



    if (!strTypeNumbers.equals("") || !strTitles.equals("")) {

        arrTypeNumbers = strTypeNumbers.split(",");

        arrTitles = strTitles.split(",");



        bolHit = false;

        strWhere.append("(");



        for (i = 0; i < arrTypeNumbers.length; i++) {

            if (arrTypeNumbers[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NUMBER = ?");

                paramList.add(arrTypeNumbers[i]);

            }

        }



        for (i = 0; i < arrTitles.length; i++) {

            if (arrTitles[i].length() > 0) {

                if (bolHit) {

                    strWhere.append(" OR ");

                } else {

                    bolHit = true;

                }



                strWhere.append(" REPORT_NAME = ?");

                paramList.add(arrTitles[i]);

            }

        }



        strWhere.append(") ");

    }



    if (!strSerialNumber1.equals("")) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_NO " + strSerialNumberLogic + " ? ");

        paramList.add(strSerialNumber1);



        if (strSerialNumberLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(strSerialNumber2);

        }

    }



    if (lngCreationDate1 != 0) {





        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }



        strWhere.append(" REPORT_CREATION_DATE " + strCreationDateLogic + " ? ");

        paramList.add(Long.toString(lngCreationDate1));



        if (strCreationDateLogic.equals("between")) {

            strWhere.append(" AND ? ");

            paramList.add(Long.toString(lngCreationDate2));

        }

    }



    if (lngLoc != 0) {



        if (!strWhere.equals("")) {

            strWhere.append(" AND ");

        }

        strWhere.append(" REPORT_FILE_LOCATION = ? ");

        paramList.add(Long.toString(lngLoc));

    }

    String finalQuery = "";

    if (!strWhere.equals("")) {

        finalQuery = "WHERE " + strWhere.toString();

    }



    String strSQL = "SELECT * " + "FROM D990800 "

            + "LEFT JOIN D990400 ON REPORT_SYSTEM_ID ||" + " REPORT_NO = REPORT_NUMBER " + finalQuery

            + "ORDER BY REPORT_FILE_NO ASC";





    System.out.println("strSQL:" + strSQL );

    System.out.println("paramList:" + paramList );



    Connection conn = ConnectionFactory.instance().getConnection();

    PreparedStatement preparedStatement = null;

    preparedStatement = conn.prepareStatement(strSQL);



    for (int index = 0; index < paramList.size(); index++) {

        String param = (String) paramList.get(index);



        if (isParsableInt(param)) {

            preparedStatement.setInt(index+1, Integer.parseInt(param));

        } else {

            preparedStatement.setString(index+1, param);

        }

    }



    ResultSet rsReports = preparedStatement.executeQuery();



    buildCollection(rsReports);

    rsReports.close();

    preparedStatement.close();

    conn.close();

}





java jdbc prepared-statement sql-injection dynamic-sql




java jdbc prepared-statement sql-injection dynamic-sql






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 27 '18 at 1:39









Scary Wombat

35.8k32252




35.8k32252










asked Nov 27 '18 at 1:31









rz niharrz nihar

61




61













  • Try using CriteriaBuilder - samples at objectdb.com/java/jpa/query/criteria

    – Scary Wombat
    Nov 27 '18 at 1:34











  • what are Criteria Builders?.Please give some pointers

    – rz nihar
    Nov 27 '18 at 2:31











  • did you look at the link

    – Scary Wombat
    Nov 27 '18 at 2:37











  • What makes you think you are at risk of SQL injections? You are using PreparedStatement and bounded parameters, you should be safe.

    – frenchoverflow
    Nov 27 '18 at 4:36











  • But when the veeracode scan runs(veera code is a tool which scans application code for flaws), it is showing that this peice of code has sql injection flaw.

    – rz nihar
    Nov 27 '18 at 10:34



















  • Try using CriteriaBuilder - samples at objectdb.com/java/jpa/query/criteria

    – Scary Wombat
    Nov 27 '18 at 1:34











  • what are Criteria Builders?.Please give some pointers

    – rz nihar
    Nov 27 '18 at 2:31











  • did you look at the link

    – Scary Wombat
    Nov 27 '18 at 2:37











  • What makes you think you are at risk of SQL injections? You are using PreparedStatement and bounded parameters, you should be safe.

    – frenchoverflow
    Nov 27 '18 at 4:36











  • But when the veeracode scan runs(veera code is a tool which scans application code for flaws), it is showing that this peice of code has sql injection flaw.

    – rz nihar
    Nov 27 '18 at 10:34

















Try using CriteriaBuilder - samples at objectdb.com/java/jpa/query/criteria

– Scary Wombat
Nov 27 '18 at 1:34





Try using CriteriaBuilder - samples at objectdb.com/java/jpa/query/criteria

– Scary Wombat
Nov 27 '18 at 1:34













what are Criteria Builders?.Please give some pointers

– rz nihar
Nov 27 '18 at 2:31





what are Criteria Builders?.Please give some pointers

– rz nihar
Nov 27 '18 at 2:31













did you look at the link

– Scary Wombat
Nov 27 '18 at 2:37





did you look at the link

– Scary Wombat
Nov 27 '18 at 2:37













What makes you think you are at risk of SQL injections? You are using PreparedStatement and bounded parameters, you should be safe.

– frenchoverflow
Nov 27 '18 at 4:36





What makes you think you are at risk of SQL injections? You are using PreparedStatement and bounded parameters, you should be safe.

– frenchoverflow
Nov 27 '18 at 4:36













But when the veeracode scan runs(veera code is a tool which scans application code for flaws), it is showing that this peice of code has sql injection flaw.

– rz nihar
Nov 27 '18 at 10:34





But when the veeracode scan runs(veera code is a tool which scans application code for flaws), it is showing that this peice of code has sql injection flaw.

– rz nihar
Nov 27 '18 at 10:34












1 Answer
1






active

oldest

votes


















0














The way you handle strSerialNumberLogic and strCreationDateLogic does allow for a SQL injection attack. Instead of directly appending their values to the where clause, you should use conditional logic to determine the correct conditional to use:



strWhere.append(" REPORT_FILE_NO ");



switch (strSerialNumberLogic) {

  case "=":

    strWhere.append("= ? ");

    paramList.add(strSerialNumber1);

    break;

  case "!=":

  case "<>":

    strWhere.append("!= ? ");

    paramList.add(strSerialNumber1);

    break;

  case "<":

    strWhere.append("< ? ");

    paramList.add(strSerialNumber1);

    break;

  case "<=":

    strWhere.append("<= ? ");

    paramList.add(strSerialNumber1);

    break;

  case ">":

    strWhere.append("> ? ");

    paramList.add(strSerialNumber1);

    break;

  case ">=":

    strWhere.append(">= ? ");

    paramList.add(strSerialNumber1);

    break;

  case "between":

    strWhere.append("between ? and ? ");

    paramList.add(strSerialNumber1);

    paramList.add(strSerialNumber2);

    break;

  case "not between":

    strWhere.append("not between ? and ? ");

    paramList.add(strSerialNumber1);

    paramList.add(strSerialNumber2);

    break;

  case "is null":

    strWhere.append("is null ");

    break;

  case "is not null":

    strWhere.append("is not null ");

    break;

}


Although you could simply check to ensure that the value of str[SerialNumber|CreationDate]Logic is valid before appending it to avoid injection attacks, your code checker would likely still throw an error, so it's better to append string literals instead of variables.






share|improve this answer
























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491506%2fsql-injection-for-dynamic-where-conditions-in-prepared-statement%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    The way you handle strSerialNumberLogic and strCreationDateLogic does allow for a SQL injection attack. Instead of directly appending their values to the where clause, you should use conditional logic to determine the correct conditional to use:



    strWhere.append(" REPORT_FILE_NO ");
    

    
switch (strSerialNumberLogic) {
    
  case "=":
    
    strWhere.append("= ? ");
    
    paramList.add(strSerialNumber1);
    
    break;
    
  case "!=":
    
  case "<>":
    
    strWhere.append("!= ? ");
    
    paramList.add(strSerialNumber1);
    
    break;
    
  case "<":
    
    strWhere.append("< ? ");
    
    paramList.add(strSerialNumber1);
    
    break;
    
  case "<=":
    
    strWhere.append("<= ? ");
    
    paramList.add(strSerialNumber1);
    
    break;
    
  case ">":
    
    strWhere.append("> ? ");
    
    paramList.add(strSerialNumber1);
    
    break;
    
  case ">=":
    
    strWhere.append(">= ? ");
    
    paramList.add(strSerialNumber1);
    
    break;
    
  case "between":
    
    strWhere.append("between ? and ? ");
    
    paramList.add(strSerialNumber1);
    
    paramList.add(strSerialNumber2);
    
    break;
    
  case "not between":
    
    strWhere.append("not between ? and ? ");
    
    paramList.add(strSerialNumber1);
    
    paramList.add(strSerialNumber2);
    
    break;
    
  case "is null":
    
    strWhere.append("is null ");
    
    break;
    
  case "is not null":
    
    strWhere.append("is not null ");
    
    break;
    
}


    Although you could simply check to ensure that the value of str[SerialNumber|CreationDate]Logic is valid before appending it to avoid injection attacks, your code checker would likely still throw an error, so it's better to append string literals instead of variables.






    share|improve this answer




























      0














      The way you handle strSerialNumberLogic and strCreationDateLogic does allow for a SQL injection attack. Instead of directly appending their values to the where clause, you should use conditional logic to determine the correct conditional to use:



      strWhere.append(" REPORT_FILE_NO ");
      

      
switch (strSerialNumberLogic) {
      
  case "=":
      
    strWhere.append("= ? ");
      
    paramList.add(strSerialNumber1);
      
    break;
      
  case "!=":
      
  case "<>":
      
    strWhere.append("!= ? ");
      
    paramList.add(strSerialNumber1);
      
    break;
      
  case "<":
      
    strWhere.append("< ? ");
      
    paramList.add(strSerialNumber1);
      
    break;
      
  case "<=":
      
    strWhere.append("<= ? ");
      
    paramList.add(strSerialNumber1);
      
    break;
      
  case ">":
      
    strWhere.append("> ? ");
      
    paramList.add(strSerialNumber1);
      
    break;
      
  case ">=":
      
    strWhere.append(">= ? ");
      
    paramList.add(strSerialNumber1);
      
    break;
      
  case "between":
      
    strWhere.append("between ? and ? ");
      
    paramList.add(strSerialNumber1);
      
    paramList.add(strSerialNumber2);
      
    break;
      
  case "not between":
      
    strWhere.append("not between ? and ? ");
      
    paramList.add(strSerialNumber1);
      
    paramList.add(strSerialNumber2);
      
    break;
      
  case "is null":
      
    strWhere.append("is null ");
      
    break;
      
  case "is not null":
      
    strWhere.append("is not null ");
      
    break;
      
}


      Although you could simply check to ensure that the value of str[SerialNumber|CreationDate]Logic is valid before appending it to avoid injection attacks, your code checker would likely still throw an error, so it's better to append string literals instead of variables.






      share|improve this answer


























        0












        0








        0







        The way you handle strSerialNumberLogic and strCreationDateLogic does allow for a SQL injection attack. Instead of directly appending their values to the where clause, you should use conditional logic to determine the correct conditional to use:



        strWhere.append(" REPORT_FILE_NO ");
        

        
switch (strSerialNumberLogic) {
        
  case "=":
        
    strWhere.append("= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "!=":
        
  case "<>":
        
    strWhere.append("!= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "<":
        
    strWhere.append("< ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "<=":
        
    strWhere.append("<= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case ">":
        
    strWhere.append("> ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case ">=":
        
    strWhere.append(">= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "between":
        
    strWhere.append("between ? and ? ");
        
    paramList.add(strSerialNumber1);
        
    paramList.add(strSerialNumber2);
        
    break;
        
  case "not between":
        
    strWhere.append("not between ? and ? ");
        
    paramList.add(strSerialNumber1);
        
    paramList.add(strSerialNumber2);
        
    break;
        
  case "is null":
        
    strWhere.append("is null ");
        
    break;
        
  case "is not null":
        
    strWhere.append("is not null ");
        
    break;
        
}


        Although you could simply check to ensure that the value of str[SerialNumber|CreationDate]Logic is valid before appending it to avoid injection attacks, your code checker would likely still throw an error, so it's better to append string literals instead of variables.






        share|improve this answer













        The way you handle strSerialNumberLogic and strCreationDateLogic does allow for a SQL injection attack. Instead of directly appending their values to the where clause, you should use conditional logic to determine the correct conditional to use:



        strWhere.append(" REPORT_FILE_NO ");
        

        
switch (strSerialNumberLogic) {
        
  case "=":
        
    strWhere.append("= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "!=":
        
  case "<>":
        
    strWhere.append("!= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "<":
        
    strWhere.append("< ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "<=":
        
    strWhere.append("<= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case ">":
        
    strWhere.append("> ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case ">=":
        
    strWhere.append(">= ? ");
        
    paramList.add(strSerialNumber1);
        
    break;
        
  case "between":
        
    strWhere.append("between ? and ? ");
        
    paramList.add(strSerialNumber1);
        
    paramList.add(strSerialNumber2);
        
    break;
        
  case "not between":
        
    strWhere.append("not between ? and ? ");
        
    paramList.add(strSerialNumber1);
        
    paramList.add(strSerialNumber2);
        
    break;
        
  case "is null":
        
    strWhere.append("is null ");
        
    break;
        
  case "is not null":
        
    strWhere.append("is not null ");
        
    break;
        
}


        Although you could simply check to ensure that the value of str[SerialNumber|CreationDate]Logic is valid before appending it to avoid injection attacks, your code checker would likely still throw an error, so it's better to append string literals instead of variables.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 28 '18 at 0:08









        SentinelSentinel

        5,12011221




        5,12011221
































            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491506%2fsql-injection-for-dynamic-where-conditions-in-prepared-statement%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Tonle Sap (See)

            Image
            Tonle Sap Satellitenfoto (April 1994) Geographische Lage Kambodscha Zuflüsse Tonle-Sap-Fluss, Siem Reap River Abfluss Tonle-Sap-Fluss Orte in der Nähe Siem Reap, Battambang Daten Koordinaten 12° 52′ 34″  N , 104° 4′ 23″  O 12.876 104.073 Koordinaten: 12° 52′ 34″  N , 104° 4′ 23″  O Höhe über Meeresspiegel f1 0,5 Meter Fläche 2.700–25.000 km² dep1 f5 Länge 250 km (maximal) dep1 f6 Breite 100 km (maximal) dep1 f7 Volumen 80 km³ (maximal) dep1 f8 Maximale Tiefe 14 m f10 Mittlere Tiefe 2–3 m (minimal) f11 Besonderheiten größter See Südostasiens Der Tonle-Sap-See (Khmer: បឹង​ទន្លេសាប , Aussprache: [ boeung tunleː saːp ]) in Kambodscha ist der größte See Südostasiens und eines der fischreichsten Binnengewässer der Erde. Inhaltsverzeichnis 1 Geographie 2 Wirtschaftliche Bedeutung 2.1 Verkehr 2.2 Reis 2.3 Fisch 3 Ökologie und Gefährdung 3.1 Überfischung...
            Read more

            I get strange results when I access the Sqlitedatabase with Unity C# via XAMPP

            Image
            0 <?php $servername = "localhost"; $username="root"; $password=""; $dbName="escape_room"; $user_username = $_POST['Input_user']; $user_password = $_POST['Input_pass']; $conn = new mysqli($servername, $username, $password, $dbName); if(!$conn){ die("Cound not Connect: " . mysqli_connect_error()); } $sql = "SELECT pass FROM escape_room WHERE user = '".$user_username."' "; $result = mysqli_query($conn, $sql); //Get the result and confirm login if(mysqli_num_rows($result)>0){ while($row = mysqli_fetch_assoc($result)){ if($row['pass'] == $user_password){ echo "login success"; ...
            Read more

            Guatemaltekische Davis-Cup-Mannschaft

            Image
            Guatemala Kapitän Anthony Vásquez Aktuelles ITF-Ranking 73 Statistik Erste Teilnahme 1990 Davis-Cup-Teilnahmen 22 Bestes Ergebnis Amerika-Gruppenzone II HF (1995, 2000, 2001) Ewige Bilanz 42:30 Erfolgreichste Spieler Meiste Siege gesamt Daniel Chávez Morales (29) Meiste Einzelsiege Cristian Paiz (21) Meiste Doppelsiege Daniel Chávez Morales (17) Bestes Doppel Jacobo Chávez / Daniel Chávez Morales (9) Meiste Teilnahmen Cristian Paiz (32) Meiste Jahre Daniel Chávez Morales (10) Letzte Aktualisierung der Infobox: 3. Juni 2012 Die guatemaltekische Davis-Cup-Mannschaft ist die Tennisnationalmannschaft Guatemalas. Geschichte | 1990 nahm Guatemala erstmals am Davis Cup teil. Das beste Resultat erreichte die Mannschaft jeweils 1995, 2000 und 2001 mit dem Halbfinale in der Amerika-Gruppenzone II. Bester Spieler ist Daniel Chávez Morales mit 29 Siegen bei insgesamt 31 Teilnahmen. Rekord...
            Read more