Announcement

Collapse
No announcement yet.

Am I avoiding SQL injection? Is it possible?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Am I avoiding SQL injection? Is it possible?

    Hello, I was wondering if by using the following code in a Database Writer, I am able to avoid SQL injection.

    Code:
    	var params = new Packages.java.util.ArrayList();
    
    	sql = "INSERT IGNORE INTO table1 (field1, field2, field3, field4, field5, field6) VALUES (?, ?, ?, ?, ?, ?)"
    
    	params.add(varMsg1);
    	params.add(varMsg2);
    	params.add(varMsg3);
    	params.add(varMsg4);
    	params.add(varMsg5);
    	params.add(varMsg6);
     
    	dbConn.executeUpdate(sql, params);
    Is it still unsafe? Does the method executeUpdate(sql, params) do anything to avoid it?
    If not, is there another way to avoid it (without going through the hassle of replacing every dangerous word or character)?

  • #2
    Yes, it's safe. When you use executeUpdate passing SQL and the LIST of parameters, mirth will perform a prepared statement in background, and you will avoid SQL Injections.

    Comment


    • #3
      Originally posted by rodrosa View Post
      Yes, it's safe. When you use executeUpdate passing SQL and the LIST of parameters, mirth will perform a prepared statement in background, and you will avoid SQL Injections.
      Glad to know, thank you.
      I was and still am having trouble finding documentation for it.
      Thanks again!

      Comment


      • #4
        You can find it on MIRTH JAVA DOC. http://javadocs.mirthcorp.com/connec...api/index.html

        Comment


        • #5
          Found it. Thanks.

          Comment

          Working...
          X