OWASP Top Ten Project 2013 No 1 – Injection
To avoid SQL injection vulnerabilities only prepared statements with parameter binding should be used: String custname = request.getParameter(“customerName”); String query = “SELECT account_balance FROM user_data WHERE user_name = ?”; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, custname); ResultSet results = pstmt.executeQuery(); Intershop