KEYWORD AND (SELECT CHR(86)||CHR(76)||CHR(79)||CHR(118) FROM SYSIBM.SYSDUMMY1)=CHR(86)||CHR(76)||CHR(79)||CHR(118) AND 'nbzX'='nbzX
String query = "SELECT * FROM users WHERE name = ? AND password = ?"; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, userInputName); statement.setString(2, userInputPassword); ResultSet results = statement.executeQuery(); This approach prevents the injection of malicious SQL by treating all user input as data, not as part of the SQL command.
The string you've provided seems to be an example of such an attack:
KEYWORD AND (SELECT CHR(86)||CHR(76)||CHR(79)||CHR(118) FROM SYSIBM.SYSDUMMY1)=CHR(86)||CHR(76)||CHR(79)||CHR(118) AND 'nbzX'='nbzX
String query = "SELECT * FROM users WHERE name = ? AND password = ?"; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, userInputName); statement.setString(2, userInputPassword); ResultSet results = statement.executeQuery(); This approach prevents the injection of malicious SQL by treating all user input as data, not as part of the SQL command. ResultSet results = statement.executeQuery()
The string you've provided seems to be an example of such an attack: ResultSet results = statement.executeQuery()