do I need to worry about code injection ?

[garyng]

Hi,

 

I am writing a system that allows users to upload jrxml and run on the tomcat server.

 

So do I need to worry about what the queryString(SQL) can do like dangerous DELETE/UPDATE/DROP/ALTER etc. ?

 

In a similar fashion, should I worry about code injection if the SQL statement are parameterized ?

 

Or would it be easier/safer to just create a RDBMS users who can only READ RDBMS tables and use this user to connection to the jdbc data source?

 

How in general people handle situation like this ?

[martynhiemstra]

As far as I know executeQuery in ResultSet is called. This only accepts Select queries. If you try a UPDATE in executeQuery then you get an error.

 

Why dont you try it yourself? You can create your own jrxml file with an update or truncate query. I find it much more satisfying doing something myself instead of asking others. In the time it toke you to get a response you could of found out for yourself so getting an answer is also faster.