December 10, 2008 at 11:15 PM
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application.
Prevention against SQL injection,
User input must not directly be embedded in SQL statements.
Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.
Using Parameterized Statements
In some programming languages such as Java and .NET parameterized statements use
parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement.
In many cases, the SQL statement is fixed. The user input is then assigned (bound) to a parameter.
This is an example using Java and the JDBC API:
PreparedStatement pstmt= conn.prepareStatement("SELECT * FROM tablename WHERE USERNAME=? AND PASSWORD=?");