However, the real cause for concern is the string concatenation that builds the SQL statement. If a user enters an ID of 1001, then you get the following SQL statement, which is perfectly valid and well formed.
SELECT hasshipped FROM shipping WHERE id = '1001'
However, attackers are more creative than this. They would enter an ID of "'1001' DROP table shipping --", which would execute the following query:
SELECT hasshipped FROM
shipping WHERE id = '1001'
DROP table shipping -- ';
I tried to do this on my database but couldn't get anything bad to happen.
my code is
if (flan.getSelectedItem().toString() == "null")
s = new String("INSERT INTO FILE VALUES ('" + f + "',"
+ "null" + ");");
s = new String("INSERT INTO FILE VALUES ('" + f + "','"
+ flan.getSelectedItem().toString() + "');");
and I tried several times to get bad things to happen but can't I am not sure why I can't which is not reassuring so can anyone give me some pointers please?