Use PreparedStatement to execute SQL statements instead of Statement. PreparedStatement uses placeholders instead of parameter values, which can prevent SQL injection attacks.
Verify and filter user input data for validity, allowing only specific characters or formats.
By using ORM frameworks such as Hibernate for database operations, special characters are automatically escaped to prevent SQL injection.
Restrict the privileges of database users to prevent them from having excessive permissions and reduce the impact range of attacks.
Avoid directly concatenating user input into SQL statements, try to use parameterized queries as much as possible.