Java - escape string to prevent SQL injection

Question

I\'m trying to put some anti sql injection in place in java and am finding it very difficult to work with the the \"replaceAll\" string function. Ultimately I need a functio

Answer 1

The only way to prevent SQL injection is with parameterized SQL. It simply isn't possible to build a filter that's smarter than the people who hack SQL for a living.

So use parameters for all input, updates, and where clauses. Dynamic SQL is simply an open door for hackers, and that includes dynamic SQL in stored procedures. Parameterize, parameterize, parameterize.