O'Reilly logo

Oracle JDeveloper 10g for Forms & PL/SQL Developers: A Guide to Web Development with Oracle ADF by Duncan Mills, Peter Koletzke

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Prevent SQL Injection Attacks

One of the most common vulnerabilities in relational database applications is leaving the application open to SQL injection (described in Chapter 12). SQL injection is a technique that users can employ to insert SQL statements inside a string variable that is meant to hold query criteria values such that unintended results occur. For example, imagine a query screen that allows a customer to track an order. The screen exposes an Order Number field called q_ordernum. The user can enter a number and click the Find button to retrieve details of that order. Usually, the programmer or the framework code would include a SQL statement that uses the parameter value, such as:

stmt = "SELECT order_total, status FROM orders WHERE order_number = " + ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required