Currently mitigating security violations in java code.
Would like to confirm how to escape special characters when sending dynamic SQL. The following special characters are to be escaped. { , " , \ , } , %&'()*+,-./:;<=>?[|\t\n. The where clause is sent via a parameter in java code.
Example:
select * from tableA where columnA=<parameter>
parameter passed is: tableA.columnA = 'AB' or 1=1
We need to escape quotes and = sign from the <parameter> if it is passed.
The result of stripping the special characters in order to stop SQL inject would be: AB or 1 1 instead of 'AB' or 1=1
Thanks in advance.