How to modify core Java interface java.sql.Statement.execute(String sql)?
Hello,
I am trying to find a way on how to modify java.sql.Statement.execute(String sql) method.
It is in interface and unfortunately no implementation class found in src package of Java.
Can you please suggest me on how can I modify the behaviour of this method?
I need to sanitize the String sql first (from SQL Injection) and the let it behave as it should.
I have to mention, I am working on the Java framework, and not on source code of the application.
Meaning that I can only modify core Java classes, I am doing a research on creating new java version which will allow SQLi sanitization dynamically without any modification to the source code of the web applications.
Cheers,
amughost
Re: How to modify core Java interface java.sql.Statement.execute(String sql)?
You cannot modify the behavior of an interface - you can modify the behavior of the implementation of that interface. For Statement, given it is intimately tied into the database and its driver, you would have to refactor the entire implementation of the library.
Quote:
I need to sanitize the String sql first (from SQL Injection) and the let it behave as it should.
Use a PreparedStatement
Re: How to modify core Java interface java.sql.Statement.execute(String sql)?
There should be a way of doing it without modification to the entire library modification, because the idea is to enhance methods, but not to change the whole structure of library.
I need to filter the String sql before allowing to execute it.
Re: How to modify core Java interface java.sql.Statement.execute(String sql)?
I have found that in PHP, it is possible to change MySQL module and embed sanitization there, and then sent the query to MySQL engine for execution
Re: How to modify core Java interface java.sql.Statement.execute(String sql)?
Sorry, I have found the solution already. Thank you!
Re: How to modify core Java interface java.sql.Statement.execute(String sql)?
Quote:
Originally Posted by
amughost
Sorry, I have found the solution already. Thank you!
Do you care to share your solution? And BTW, as I mentioned above a PreparedStatement does prevent against SQL injection
Re: How to modify core Java interface java.sql.Statement.execute(String sql)?
I would say PreparedStatement prevents from SQL Injection, but not protects you. It is still vulnerable.
The Statement.executequery() implementation is under MySQL module for Java called MySQL Connector/J.
But Of course, for each DBMS, there is different implementation.
Thank you for your help anyways!
