Skip to content
This repository was archived by the owner on Jan 30, 2018. It is now read-only.
This repository was archived by the owner on Jan 30, 2018. It is now read-only.

Prepared Statements #3

Open
Open
Prepared Statements#3
Labels
pending
@jerustes

Description

@jerustes
jerustes
opened on Nov 9, 2017
try(PreparedStatement st = connection.prepareStatement("SELECT ... ? ... ?"));
    st.setInt(1, anho);
    st.setString(2, nombre);
    ResultSet rs = st.executeQuery(); 
//WARNING: nothing as param to executeQuery or we vulnerable af

Los interrogantes del prepared statement van sin entrecomillar, lo metemos directamente en la cadena, sin concatenar nada. Java ya interpreta directamente cómo tiene que gestionar eso.
Si metiésemos parámetro executeQuery() estaríamos llamando al método de la superclase Statement y seríamos igualmente vulnerables que si no usásemos prepared

Metadata

Metadata

Assignees

No one assigned

    Labels

    pending

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions