SQL injection vulnerabilities occur when you build SQL strings manually
through string concatenation, like this:
String sqlStatement = "SELECT ID FROM MYTABLE WHERE TEXTFIELD LIKE '%" +
queryFromUser + "%';";
The simplest way, IMO, to protect against SQL injection attacks is to not
do this. Usin
John - trying to protect against SQL injection by black listing possible
SQL reserved words is not a good approach for preventing sql injection. The
proper way to deal with that is to not use string concatenation (using the
content of your text field) for your queries, and use prepared statements
t
