\begin{frame}[fragile] \frametitle{SQL Injection: How to Prevent It?} \begin{goal}{To Prevent SQL Injection} \begin{itemize} \item \alert{\emph{Never build SQL queries with user input using string concatenation!}} \pause \item Use the API to fill in the query parameters. \end{itemize} \end{goal} \pause\medskip \begin{code}{\textwidth}{Preventing SQL Injection} \begin{lstlisting} String userName = // name that the user has entered String userPassword = // password that the user has entered PreparedStatement stat = conn.prepareStatement( "select balance from accounts " + "where name = ? " + " and password = ? "); // use the API to fill the name and password stat.setString(1, userName); stat.setString(2, userPassword); ResultSet rs = stat.executeQuery(); \end{lstlisting} \end{code} \end{frame} \newcommand{\exampleuml}{ \umlclass{Event}{ +name \\ +date }{ } \umlclass[x=3.4]{Venue}{ +name }{ } \umlclass[x=6.8]{Address}{ +street\\ +city }{ } \umlassoc[arg1=0..*,pos1=0.3,arg2=1,pos2=.8,name=assoc]{Event}{Venue} \umlassoc[arg1=0..*,pos1=0.3,arg2=1,pos2=.8,name=assoc]{Venue}{Address} } \newcommand{\examplehibernate}{ \begin{tcenter} \scalebox{.8}{ \begin{tikzpicture} \exampleuml \node [align=left,fill=blue!10,rectangle,rounded corners=1mm,dashed,draw,inner sep=2mm] at (-2.3,-3) { \small\texttt{public class Event \{}\\ \small\texttt{\ \ String getName();}\\ \small\texttt{\ \ String getDate();}\\ \small\texttt{\ \ Venue getVenue();}\\ \small\texttt{\}} }; \node [align=center,draw,fill=red!10] (m) at (-3,0cm) {mapping}; \draw [ultra thick,red,->,>=triangle 45] (m) -- +(2cm,0cm); \draw [ultra thick,red,->,>=triangle 45] (m) -- +(0cm,-1.9cm); \end{tikzpicture} } \end{tcenter} } \theme{Object Relational Mapping}