Preventing SQL Injection in DAO Layer

Assume that we have data inside the DTOObject

public void loginUser(UserDTO)
{

String name = UserDTO.getName();
String pwd = UserDTO.getPassword();
String sql  = "select UNAME , PWD 开发者_如何学运维from LoginTable where uname='"+name+"' and PWD='"+pwd+"';
}

Please tell me in this code , how can we prevent SQL Injection ?? How can we check for Malicious characters ??

Your best bet is to move SQL from the DTO, where it doesn't belong, to the DAO, where it belongs, and use PreparedStatement there.

Here is the official tutorial on using PreparedStatement in JDBC. There are also plenty of others if you search around.

For the record, I must say that I disagree with the claim that the main advantage of a prepared statement is that it can be (though isn't necessarily) sent to the database in advance. The main advantage is parameters.