garyng Posted November 25, 2007 Share Posted November 25, 2007 Hi, I am writing a system that allows users to upload jrxml and run on the tomcat server. So do I need to worry about what the queryString(SQL) can do like dangerous DELETE/UPDATE/DROP/ALTER etc. ? In a similar fashion, should I worry about code injection if the SQL statement are parameterized ? Or would it be easier/safer to just create a RDBMS users who can only READ RDBMS tables and use this user to connection to the jdbc data source? How in general people handle situation like this ? Link to comment Share on other sites More sharing options...
martynhiemstra Posted November 26, 2007 Share Posted November 26, 2007 As far as I know executeQuery in ResultSet is called. This only accepts Select queries. If you try a UPDATE in executeQuery then you get an error. Why dont you try it yourself? You can create your own jrxml file with an update or truncate query. I find it much more satisfying doing something myself instead of asking others. In the time it toke you to get a response you could of found out for yourself so getting an answer is also faster. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now