2

So I have this snippet of code:

String username = props.getProperty("jdbc.username");
try {
                String username = parts[1];

                // Check procedure
                System.out.println("Checking user");

                // Check database user table for username
                conn = getSQLConnection();
                Statement stat = conn.createStatement();
                ResultSet user = stat.executeQuery( "SELECT * FROM USER WHERE log_id='" + username + "';" );
                // Check given password against user entry
                if(user.next()){
                    System.out.println("User Exists: " + username);
                    sendMessage("true");
                    return;
                }
                else{

                    System.out.println("User Does Not Exist: " + username);
                    sendMessage("false user");
                    return;
                }

For educational purposes, is the SQL statement protected from an SQL injection even though I know where the input is coming from?

Improve this question
4
  • 1
    you always have 100% control of what username could be into your system ? Commented Apr 20, 2015 at 21:43
  • 1
    No, it is not protected. As long as you use a concatenated string to create the query, you're not protected. Commented Apr 20, 2015 at 21:45
  • What do you mean by "For educational purposes"? Commented Apr 20, 2015 at 21:56
  • Just that I understand to ONLY ever use prepared statements. But in this case where I'm not am I still open to SQL injection through the username even though a user is not specifying the username Commented Apr 20, 2015 at 22:10

2 Answers 2

Reset to default
6 
ResultSet user = stat.executeQuery( "SELECT * FROM USER WHERE log_id='" + username + "';" );

This is subject to SQL injection.

Imagine what happens if username has this value:

John'; delete from user where 'a' = 'a

And yes, a s*load of Java JDBC SQL tutorials get this wrong. Basically, always use PreparedStatements.

Not only because this makes it safe ot use even if username has malicious values as the above, but also, and more importantly, because the same query can be reused by the RDBMS engine for all further invocations.

In short, there is no reason at all not to use them. And tutorials demonstrating SQL using string concatenation should die a painful, SQL injection death.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for your answer/comment. You explained alot for me :)
Is the jdbc.username able to be easily changed for an SQL injection to happen.
0

As explained in this post, one rogue attacker can do the following to yoour application:

  • call a sleep function so that all your database connections will be busy, therefore making your application unavailable
  • extracting sensitive data from the DB
  • bypassing the user authentication

And it's not just SQL that can be affected. Even JPQL can be compromised if you are not using bind parameters.

Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose:

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.