Sony hacked (again) by SQL injection (programming 101)

Sony was reportedly hacked by SQL injection. Protecting against SQL injection is simple. Never use string concatenation for user submitted content. Not only is query creation by string concatenation not secure, but also has performance implications. With modern computer languages and APIs there is no reason to do it this way! For Java-based technologies using JDBC use PreparedStatement and use arguments.

String updateString = "update " + dbName + ".COFFEES " +
"set SALES = ? where COF_NAME = ?";
PreparedStatement updateSales = con.prepareStatement(updateString);
updateSales.setInt(1, e.getValue().intValue());
updateSales.setString(2, e.getKey());
updateSales.executeUpdate();

For Hibernate or JPA do something more like:

Person aPerson = (Person) session
.createQuery("select p from Person p left join fetch p.events where p.id = :pid")
.setParameter("pid", personId)
.uniqueResult(); // Eager fetch the collection so we can use it detached

In general, for most enterprise business transactional systems, an ORM like Hibernate is preferred. This isn't because doing hand-rolled JDBC is HARD, but because it is SO EASY to mess up as Sony has so aptly demonstrated.