How to safely escape arbitrary strings for SQL in PostgreSQL using Java

Question

I have a special case requiring that I generate part of a SQL WHERE clause from user supplied input values. I want to prevent any sort of SQL Injection vulnerability.

Answer 1

I asked a similar question here, but I think that the best thing to do is to use org.postgresql.core.Utils.escapeLiteral. This is a Postgres library so using it should be safe. If/when Postgres adds new string delimiters this method should be updated.

Answer 2

The most easiest way would be to use PostgreSQL's Dollar Quoting in the combination with a small random tag:

• For each invocation calculate a small, random tag (e.g 4 characters) (redundant)
• Look whether or not the quote tag is part of the input string.
• If it is, recalculate a new random tag.

• Otherwise build your query like this:

  $tag$inputString$tag$
  

This way you escape the whole hassle of different nested quoting techniques and you also set up a moving target by using a random tag.

Depending on your security requirements this might do the job or not. :-)