Standard library to escape strings (without prepared statements)

Question

I'm searching for a Java standard library to escape strings before using them in a SQL statement. This is mainly to prevent errors and to prevent SQL injection, too. Unfortunately, I will not be able to use prepared statements as is is suggested in a lot of other threads.

Is there any standard library I can use? I've seen StringEscapeUtils at Apache Commons but I really don't know if this is state of the art.

Thank you very much in advance!

Answer 1

This is a non-trivial problem and a critical one because of SQL injection security issues. I would instead consider using SQL ? type arguments instead of escaping. For example, to search for a particular string:

Instead of doing:

SELECT * FROM accounts
    WHERE name = 'escapedstring1' AND password = 'escapedstring2'

I'd use:

SELECT * FROM accounts WHERE name = ? AND password = ?

You will then need to pass in the injected strings (without any escaping needed) as arguments to your SQL methods. Here's how to do it using JDBC. Not sure if that would apply to you.

Something like:

String statement = "SELECT * FROM accounts WHERE name = ? AND password = ?";
try {
  PreparedStatement stmt = databaseConnection.prepareStatement(updateString);
  // notice that it is 1 based, not 0 (ick)
  stmt.setString(1, name);
  stmt.setString(2, password);
  ResultSet results = stmt.executeQuery();

Here's how ORMLite, my ORM library, does it as an example using a select argument.

Hope this helps.

Answer 2

You can use Apache Commons, it's the very mature project.