Dear All,
i am using JPA and i am now facing a problem about sql injection.
i need to create a sql that accept a where clause statement input by users.
(for query data ONLY)
e.g. String sqlString = "select * from users u where " + userInputWhereCondition;
Query query = EntityManager.createNativeQuery(queryString);
List queryResult= query.getResultList();
could anybody tell me how can i prevent the possible sql injection or other
protential problem?
***this method is exposed as web service (with authentication and authorization)
***and supposeed to be invoke by other 'trust' system / users
*** to do some advanced query (readonly) that the frontend is not able to do.
***
***but i still want to do something to protect my data/database.
i am not able to use prepared statement as i can't parse the userInputWhereCondition
(need to write a complicate parser)..
do Query.getResultList() do the job to make sure the sql string is safe?
anybody has a good and simple solution??
thank you.
lsp
[Message sent by forum member 'imperfect' (imperfect)]
http://forums.java.net/jive/thread.jspa?messageID=259826