WebApp Sec: Re: Re: Re: JDBC protections against SQL Injection

[jjs_ritasa () verizon net]

I have seen and responded to the comments.  I spent some time this morning testing the PreparedStatement interface, and 
it does handle the special character issue.  I posted an update to the OP which includes this link 
(http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java) to the OWASP page discussing preventing SQL 
injections in Java apps.

While I am strongly opposed to the 'Ready, Fire, Aim' procedure that I just followed, the reason this was such a hot 
button issue for me is that I have revisited it several times during development and testing.  And the javadoc doesn't 
say anything about the security aspects of the methods.  The main use it gives for Prepared Statements is for 
efficiency.  So my app is currently using the Statement.execute___ methods, which do no input parsing.

And that leads to the question, why don't the Statement execute methods call the same parser that the PreparedStatement 
interface uses?  If there are multiple ways of executing SQL statements, some of which are more secure than others, 
isn't that just begging for insecure code?

Later . . .   Jim