Using prepared statements to protect against SQLI
String username = request.getParameter("username"); | |
String password = request.getParameter("password"); | |
String sqlAuthQuery = "select * from users where username = ? and password = ? "; | |
Connection connection = pool.getConnection(); | |
PreparedStatement preparedStatement = connection.prepareStatement(sqlAuthQuery); | |
preparedStatement.setString(1, username); | |
preparedStatement.setString(2, password); | |
ResultSet result = preparedStatement.executeQuery(); | |
if (result.next()) { | |
loggedIn = true; | |
// Successfully logged in | |
} else { | |
// Auth failure | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment