0

The code displayed below is used to search through job listings, the prepared statement was added in to prevent SQL injections which it is vulnerable too. The query statement search worked before adding the prepared statement, however, now returns nothing. Can anyone see what I'm doing wrong? Thanks. The previous code looked like this:

try (Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/SQL_DB", "root", "root"); Statement stmt = con.createStatement()) { rs = stmt.executeQuery(queryStatement);

The code now looks like this:

public List<jobs> searchjobs(@RequestParam String query) {
    log.debug("REST request to search jobs for query {}", query);


    String queryStatement = "SELECT * FROM jobs WHERE description like '%" + query + "%'";
    log.info("Final SQL query {}", queryStatement);

    ResultSet rs = null;

    try (Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/SQL_DB", "root", "root");
        PreparedStatement stmt = con.prepareStatement(queryStatement)) {
        stmt.setString(1, query);
        rs = stmt.executeQuery(queryStatement);
        return extractjobs(rs);
    } catch (SQLException ex) {
        log.error(ex.getMessage(), ex);
        return new ArrayList();
    } finally {
        try {
            if (rs != null) {
                rs.close();
            }
        } catch (SQLException ex) {
            log.error(ex.getMessage(), ex);
        }
    }
}
Improve this question
1
  • please post ALL the previous code, not only the connection string, most probably there is a problem when you stmt.setString(1, query) since the query has no parameter Commented Mar 17, 2020 at 15:52

2 Answers 2

Reset to default
1

You missed the essence of a prepared statement. When using it, you are substituting all variables with placeholders like this

String queryStatement = "SELECT * FROM jobs WHERE description like ?";

and then you can bind the query variable like you did. Just add those percent characters to it first

stmt.setString(1, "%" + query + "%");
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Sorry, not really sure what you mean. Could you please show me in the context of the question?
Still returning nothing unfortunately
OK. Change the other line accordingly. as shown in my answer. Can you do that?
1

You might have read the common advice "use prepared statements to protect against SQL injection." But this advice is only half of the truth.

The full truth is that you should use query parameters to separate untrusted content from your query. It just happens that using query parameters requires you to use prepared statements, so you can separate the prepare step from the execute step, and bind parameters to your prepared query in between these two steps.

This helps protect against SQL injection because the prepare is when your query is parsed. If you keep untrusted content separate from the query until after it's parsed, then the untrusted content cannot introduce SQL injection.

Your query has no parameter placeholders. You're concatenating your untrusted content into the statement just like before, which means it still has an SQL injection vulnerability.

String queryStatement = "SELECT * FROM jobs WHERE description like '%" + query + "%'";

Should be:

String queryStatement = "SELECT * FROM jobs WHERE description like ?";

Since your query has no parameter placeholders, it should be an error when you attempt to bind to it:

    stmt.setString(1, query);

Does this throw an exception? You seem to log it, so check your log.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.