\begin{frame}[fragile]
  \frametitle{SQL Injection: How to Prevent It?}

  \begin{goal}{To Prevent SQL Injection}
    \begin{itemize}
      \item \alert{\emph{Never build SQL queries with user input using string concatenation!}}
    \pause
      \item Use the API to fill in the query parameters.
    \end{itemize}
  \end{goal}
  \pause\medskip
  
  \begin{code}{\textwidth}{Preventing SQL Injection}
    \begin{lstlisting}
String userName = // name that the user has entered
String userPassword = // password that the user has entered

PreparedStatement stat = conn.prepareStatement(
  "select balance from accounts " +
  "where  name = ? " + 
  "   and password = ? ");

// use the API to fill the name and password
stat.setString(1, userName);    
stat.setString(2, userPassword);
    
ResultSet rs = stat.executeQuery();
    \end{lstlisting}
  \end{code}
  
  
\end{frame}

\newcommand{\exampleuml}{
    \umlclass{Event}{ 
      +name \\
      +date 
      }{ 
      } 
    \umlclass[x=3.4]{Venue}{ 
      +name
      }{ 
      } 
    \umlclass[x=6.8]{Address}{ 
      +street\\
      +city
      }{ 
      } 
    \umlassoc[arg1=0..*,pos1=0.3,arg2=1,pos2=.8,name=assoc]{Event}{Venue} 
    \umlassoc[arg1=0..*,pos1=0.3,arg2=1,pos2=.8,name=assoc]{Venue}{Address} 
}

\newcommand{\examplehibernate}{
  \begin{tcenter}
  \scalebox{.8}{
  \begin{tikzpicture}
    \exampleuml
    \node [align=left,fill=blue!10,rectangle,rounded corners=1mm,dashed,draw,inner sep=2mm] at (-2.3,-3) {
      \small\texttt{public class Event \{}\\
      \small\texttt{\ \ String getName();}\\
      \small\texttt{\ \ String getDate();}\\
      \small\texttt{\ \ Venue getVenue();}\\
      \small\texttt{\}}
    };
    
    \node [align=center,draw,fill=red!10] (m) at (-3,0cm) {mapping};
    \draw [ultra thick,red,->,>=triangle 45] (m) -- +(2cm,0cm);
    \draw [ultra thick,red,->,>=triangle 45] (m) -- +(0cm,-1.9cm);
  \end{tikzpicture}
  }    
  \end{tcenter}
}

\theme{Object Relational Mapping}