- Published on
Java Security - Part 14: Preventing common security vulnerabilities in Java (SQL injection, cross-site scripting)
- Authors
- Name
- Gary Huynh
- @gary_atruedev
Arr matey! Strap yourself to the mast, 'cause we're about to brave the stormy seas of common security vulnerabilities in Java
. We've got two notorious scoundrels on our hands: SQL injection
and cross-site scripting (XSS)
. These two be as infamous in the coding world as Blackbeard and Captain Kidd be in the high seas!
First up, SQL Injection
, the bane of databases across the Seven Seas! This happens when you create a SQL query
by concatenating user input directly into the query. Like this:
📚 Java Security Series Navigation
This article is part of our comprehensive Java Security series. Follow along as we explore each aspect:
- Introduction to Java Security
- Java Cryptography Architecture (JCA) and Extension (JCE)
- Java Authentication and Authorization Service (JAAS)
- Symmetric Encryption
- Asymmetric Encryption
- Digital Signatures
- Hashing and Message Digests
- Secure Key Management
- Secure Storage of Sensitive Information
- Secure Session Management
- Role-Based Access Control
- SSL/TLS Protocol
- Secure Socket Extension
- Preventing Common Vulnerabilities (You are here)
- Security Coding Practices
- Security Manager and Policy Files
String query = "SELECT * FROM users WHERE username = '" + userInput + "'";
If someone enters ' OR '1'='1
, that turns the query into SELECT * FROM users WHERE username = '' OR '1'='1'
, which returns all users. Yarrr, that be a disaster!
Instead, use a PreparedStatement
. This be like making your parrot deliver the message instead of shouting it out for the whole crew to hear:
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setString(1, userInput);
ResultSet results = pstmt.executeQuery();
The '?' in the query is a placeholder, and we're setting its value using setString()
. This way, no matter what the user input be, it can't change the structure of the query.
Now, let's set our spyglass on Cross-Site Scripting (XSS)
. This be when someone tricks your site into running malicious JavaScript. Let's say you have a comment section on your site and you display comments like this:
out.println("<h2>" + userComment + "</h2>");
If some scurvy dog enters <script>/* bad stuff */</script>
as their comment, you're in for a nasty surprise! To prevent this, escape user input before displaying it. Most modern Java web frameworks
do this for you, but if you're writing your own HTML:
out.println("<h2>" + escapeHtml(userComment) + "</h2>");
This will replace <
with <
, >
with >
, and so on. The trick is to treat all user input as untrustworthy - assume it's a mutinous crew member waiting for the right moment to pounce!
Keep these lessons in mind, and you'll ward off the threats of SQL injection and XSS
like a seasoned sea dog fending off a kraken. Yarrr!
🚀 Continue Your Journey
Ready to dive deeper into Java Security? Continue to Part 15: Security Coding Practices →
Or explore other essential Java topics: