Java – prevent SQL injection in JDBC without using pre prepared statements

I know that using prepared statements is the best way to prevent SQL injection (and syntax errors caused by non escaped characters in unchecked input)

My current situation is that I am writing some java code to move data from one third-party application to another The target application uses a proprietary version of Sybase, so although I do have a JTDS jdbc driver, Preparedstatement failed because the temporary stored procedure used by the driver is not supported in this special style of database So I can only use statement. I can't control user input because it comes from another application

There is this similar question, but it focuses on fixing the problem. If you have a parameter, such as a table that cannot be processed through the prepared statement My situation is different. I hope it is simpler because I have simple SQL statements I want to know if there are best practices to copy something like this without using Preparedstatement:

PreparedStatement statement = connection.prepareStatement("UPDATE mytable SET value=? WHERE id=?");
statement.setInt(1,getID());
statement.setString(2,userInput);
statement.executeUpdate();

So I think the question is how to reliably clean up user input? I can try to do it myself from scratch, but it seems to be a bad idea, because there may be at least one edge situation I will miss, so I hope there is a library there that can do this for me, but so far I haven't been able to find one

Solution

Esapi library has the procedure of escapping input for SQL, and develops its own DB specific encoder when necessary