如何防止使用Java在DELETE语句中进行SQL注入?

时间:2019-05-09 20:51:43

标签: java sql sql-server jdbc

我正在尝试使用DELETE FROM LIST_ITEMS WHERE ENTRY_ID IN (entryId, ... ) SQL语句删除。下面的代码是用Java编写的,我建议直接传递数据将容易发生SQL注入。如何避免在下面的查询中使用Java进行SQL注入? 

private static final String DELETE_ENTRIES = "DELETE FROM SHOPPING_LIST_ITEMS WHERE ENTRY_ID IN (";

private static final String END =   ");";

public int deleteList(String data) throws SQLException {
        /**
         * Deletes Comma separated data in List Item Table
         * c
         * TODO - SQL injection ?
         */
        return  connection.createStatement().executeUpdate(DELETE_ENTRIES + data + END);
    }

0 个答案:

没有答案
相关问题
最新问题