Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, vijay.

Asked: March 20, 2019 - 2:20 pm UTC

Last updated: March 26, 2019 - 8:35 am UTC

Version: 10

Viewed 1000+ times

You Asked

Hi,

Oracle provides dbms_assert package with functions which can be used to safeguard SQL injections. Shall I use this package like below in my java application.

select DBMS_ASSERT.sql_object_name ('test') from dual;

I didn't see people using it in java application. It is used more in procedures. Is it okay to use in java as well. Will it avoid SQL injection through jdbc driver? I had doubt because it will not use preparedstatement from java to execute above query.

and Connor said...

The easiest way to avoid SQL injection in Java is to use bind variables, ie, via PreparedStatement

If you never use user input *directly* in a SQL statement execution, then you will never need to worry about SQL injection.

So that is the easiest/best way. But if for some reason (?) you cannot, then DBMS_ASSERT will be an adequate fallback mechanism.

But use bind variables. Much easier.

Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library