\
can be an escape character in mysql.
For example, an attacker could use the \b
sequence to delete portions of your query and rewrite with their own injected sql.
The most reliable way to prevent sql injection attacks is to use parametrized queries.
See also:
Also be aware that in many databases (not absolutely sure about the JDBC/Mysql combination) it is also possible to "inject" a wildcard character into a sql LIKE
clause, even with a parametrized query. "Injection" in this particular case is not always a problem - in fact, in many cases it may be exactly the desired behavior. However, it can be a problem, if for example, you were doing something horrid like SELECT * FROM Users WHERE UserName LIKE @userInput AND Password LIKE @passwordInput
(which would allow anyone to log in simply by inputing the %
wildcard character on the screen for both fields).