Using prepared statements to protect against SQLI
| String username = request.getParameter("username"); | |
| String password = request.getParameter("password"); | |
| String sqlAuthQuery = "select * from users where username = ? and password = ? "; | |
| Connection connection = pool.getConnection(); | |
| PreparedStatement preparedStatement = connection.prepareStatement(sqlAuthQuery); | |
| preparedStatement.setString(1, username); | |
| preparedStatement.setString(2, password); | |
| ResultSet result = preparedStatement.executeQuery(); | |
| if (result.next()) { | |
| loggedIn = true; | |
| // Successfully logged in | |
| } else { | |
| // Auth failure | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment