Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

8 Best Practices to Prevent SQL Injection Attacks

  • April 15, 2021
  • 8880 Unique Views
  • < 1 min read

SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your database.

There are different types of SQL injection attacks, but in general, they all have a similar cause. The untrusted data that the user enters is concatenated with the query string. Therefore the user’s input can alter the query’s original intent.

These are the 8 best practices we discuss in this article.

  1. Do not rely on client-side input validation
  2. Use a database user with restricted privileges
  3. Use prepared statements and query parameterization
  4. Scan your code for SQL injection vulnerabilities
  5. Use an ORM layer
  6. Don’t rely on blocklisting
  7. Perform input validation
  8. Be careful with stored procedures

Read the full article.

Avatar photo

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Avatar photo

Brian Vermeer

Author

Java Champions & Developer Advocate and Software Engineer for Snyk. Passionate about Java, (Pure) Functional Programming, and Cybersecurity. Co-leading the Virtual JUG, NLJUG and DevSecCon community. Brian is also an Oracle Groundbreaker Ambassador and regular international speaker on mostly Java-related conferences.

Learn more

Thanks to our Sponsors!

Azul logo
Azul
Platinum Sponsor
Redis logo
Redis
Gold Sponsor
CodeRabbit logo
CodeRabbit
Gold Sponsor
Reo logo
Reo
Silver Sponsor
Zencoder logo
Zencoder
Silver Sponsor
Payara logo
Payara
Bronze Sponsor
Digma logo
Digma
Bronze Sponsor
adesso logo
adesso
Bronze Sponsor

Trending

Week Month All

Your New AI-Powered Coding Buddy: A Guide to SonarQube MCP Server on IntelliJ 🤖

Preparing for Spring Framework 7 and Spring Boot 4

Java Security Starts with the JVM

Explore Spring Framework 7 Features—API Versioning

Dissection of Joeffice: Open Source Office Suite in Java

Understanding MCP Through Raw STDIO Communication

How to profile a performance issue using Spring Boot profiling tools

A Dissection of Java JDBC to PostgreSQL Connections

Task Schedulers in Java: Modern Alternatives to Quartz Scheduler

Foojay Podcast #81: Maven 4 – The Future of Java Build Automation

JC-AI Newsletter: Easy Access to Expanding Challenges

JC-AI Newsletter #8

Preparing for Spring Framework 7 and Spring Boot 4

Explore Spring Framework 7 Features—API Versioning

Understanding MCP Through Raw STDIO Communication

Foojay Podcast #81: Maven 4 – The Future of Java Build Automation

Your New AI-Powered Coding Buddy: A Guide to SonarQube MCP Server on IntelliJ 🤖

7 Habits of Highly Effective Java Coding

Hey Java Devs, Let’s Talk About AI MCP! 🤖

Elastic JVM: Configuring G1 GC for Automatic Vertical Memory Scaling

Indexing all of Wikipedia, on a laptop

Working with Multiple Carets in IntelliJ IDEA

Clean Shutdown of Spring Boot Applications

Java 17 on the Raspberry Pi

Project Panama for Newbies (Part 1)

How to Create Mobile Apps with JavaFX (Part 1)

Foojay Slack: bit.ly/join-foojay-slack

Beginning JavaFX Applications with IntelliJ IDE

SpringBoot 3.2 + CRaC

Creating Scalable OpenAI GPT Applications in Java

Do you want your ad here?

Contact us to get your ad seen by thousands of users every day!

[email protected]

Comments (2)

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Tobiloba avatar

Tobiloba

3 years ago

I see that you save the point of interest as text in the DB but the response gotten from ChatGPT is JSON. Does this mean you convert the response into string using libraries like gson before saving it in the database?

16

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Denis Magda avatar

Denis Magda

3 years ago

Hey, The response is a String object in the JSON format [1]. The repository takes this JSON string as is and stores to the database [2]. Presently, Spring Data auto-generates the CREATE TABLE statement on the startup and sets the "point of interest" column's type to "text" (or "varchar", don't remember). However, it's always possible to ask Spring Data to use the "json" or "jsonb" type for the column if you wish to query the JSON at the database level. Finally, Vaadin displays a list of PointsOfInterests. Those are generated using the org.json library [3]. Let me know if you have other questions. Hope this helps. [1] https://github.com/YugabyteDB-Samples/budget-journey-gpt/blob/main/src/main/java/com/yugabyte/com/TripsAdvisorService.java#L103 [2] https://github.com/YugabyteDB-Samples/budget-journey-gpt/blob/main/src/main/java/com/yugabyte/com/TripsAdvisorService.java#L74 [3] https://github.com/YugabyteDB-Samples/budget-journey-gpt/blob/main/src/main/java/com/yugabyte/com/TripsAdvisorService.java#L114

19

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Set Event Reminder

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard