Защита от SQL injection
Источник: http://thedailywtf.com/Articles/SQL-Injection-Protection–3.aspx
// The following string is an SQL comment, and could
// blank out the check for password in our SQL statement
// if used in the username!
if (username.indexOf(”‘;–”)!=-1) {
throw new AuthorisationException(username +” given as login name contains ‘;–, this is bad for SQL!”);
}
// Get the (hopefully single) id of the player with
// this name and password
ResultSet authorised = statement.executeQuery( “SELECT id FROM table_name_redacted WHERE ” + “username=’”+username +”‘ AND password=’”+password+”‘;”)