I am trying to secure a web application, written in Java/JSP and running on PostgreSQL, against SQL injection. I ran into this very interesting answer, which refers to PHP and MySQL. Is there any resource on multibyte SQL injection against JSP/PostgreSQL? In particular, is PreparedStatement
sufficient to protect the database?
Asked
Active
Viewed 562 times
3
![](../../users/profiles/9867.webp)
user1180720
- 133
- 3
1 Answers
1
Multibyte based SQL Injection is only an issue if mysql's encoding has been set to GBK. Your client and all of your tables should probably be in UTF-8 for compatibility or Latin1(seems to be the default in the USA). Multibyte character exploits are not a problem with these two encoding types.
![](../../users/profiles/975.webp)
rook
- 46,916
- 10
- 92
- 181