Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Results 1 to 7 of 7

Thread: How to modify core Java interface java.sql.Statement.execute(String sql)?

  1. #1
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default How to modify core Java interface java.sql.Statement.execute(String sql)?

    Hello,

    I am trying to find a way on how to modify java.sql.Statement.execute(String sql) method.
    It is in interface and unfortunately no implementation class found in src package of Java.

    Can you please suggest me on how can I modify the behaviour of this method?
    I need to sanitize the String sql first (from SQL Injection) and the let it behave as it should.

    I have to mention, I am working on the Java framework, and not on source code of the application.
    Meaning that I can only modify core Java classes, I am doing a research on creating new java version which will allow SQLi sanitization dynamically without any modification to the source code of the web applications.

    Cheers,
    amughost


  2. #2
    Administrator copeg's Avatar
    Join Date
    Oct 2009
    Location
    US
    Posts
    5,318
    Thanks
    181
    Thanked 833 Times in 772 Posts
    Blog Entries
    5

    Default Re: How to modify core Java interface java.sql.Statement.execute(String sql)?

    You cannot modify the behavior of an interface - you can modify the behavior of the implementation of that interface. For Statement, given it is intimately tied into the database and its driver, you would have to refactor the entire implementation of the library.

    I need to sanitize the String sql first (from SQL Injection) and the let it behave as it should.
    Use a PreparedStatement

  3. #3
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: How to modify core Java interface java.sql.Statement.execute(String sql)?

    There should be a way of doing it without modification to the entire library modification, because the idea is to enhance methods, but not to change the whole structure of library.
    I need to filter the String sql before allowing to execute it.

  4. #4
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: How to modify core Java interface java.sql.Statement.execute(String sql)?

    I have found that in PHP, it is possible to change MySQL module and embed sanitization there, and then sent the query to MySQL engine for execution

  5. #5
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: How to modify core Java interface java.sql.Statement.execute(String sql)?

    Sorry, I have found the solution already. Thank you!

  6. #6
    Administrator copeg's Avatar
    Join Date
    Oct 2009
    Location
    US
    Posts
    5,318
    Thanks
    181
    Thanked 833 Times in 772 Posts
    Blog Entries
    5

    Default Re: How to modify core Java interface java.sql.Statement.execute(String sql)?

    Quote Originally Posted by amughost View Post
    Sorry, I have found the solution already. Thank you!
    Do you care to share your solution? And BTW, as I mentioned above a PreparedStatement does prevent against SQL injection

  7. #7
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: How to modify core Java interface java.sql.Statement.execute(String sql)?

    I would say PreparedStatement prevents from SQL Injection, but not protects you. It is still vulnerable.
    The Statement.executequery() implementation is under MySQL module for Java called MySQL Connector/J.
    But Of course, for each DBMS, there is different implementation.

    Thank you for your help anyways!

Similar Threads

  1. How to execute a Callable Statement
    By ankit.pandey3 in forum What's Wrong With My Code?
    Replies: 1
    Last Post: January 9th, 2012, 05:19 AM
  2. core java begineer
    By vinod in forum Object Oriented Programming
    Replies: 3
    Last Post: November 19th, 2011, 06:20 AM
  3. Replies: 1
    Last Post: June 4th, 2011, 11:22 AM
  4. unable to execute prepared statement
    By nrao in forum What's Wrong With My Code?
    Replies: 1
    Last Post: November 11th, 2010, 08:26 PM

Tags for this Thread