Input Security +SQL

asked 2014-06-26 08:08:11 +0800

IngoB gravatar image IngoB flag of Germany
256 6

updated 2014-06-26 08:08:51 +0800


I got a textbox in which you can enter a "string", to search a database via SQL.

I set the maxLength() of the textbox to 30 chars (ZUL) and in the Java Controller I checked for >=2 && <=30 chars (JAVA). The SQL Statement is a preparedStatement. The searchstring gets wrapped in "%" and it is set to lowercase.

So is there any other security related issue? Should I filter special chars (regex) or something else? I know, there will be a lot of people using it and they will (intentionally or not) try to enter "wrong" values (children).

Any more ideas and/or am I missing something important?

ZK 7.0.2/FF 30.0/Eclipse Kepler SR2

delete flag offensive retag edit



normally preparedStatement is already sql injection protected.

chillworld ( 2014-06-26 09:46:27 +0800 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2014-06-26 14:43:23 +0800

dis gravatar image dis flag of Switzerland
140 4

As long as you use prepared statements and pass all your variables into prepared statements parameters you are safe against SQL Injection. -dis

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

1 follower



Asked: 2014-06-26 08:08:11 +0800

Seen: 12 times

Last updated: Jun 26 '14

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More