Penetration Testing mailing list archives
Re: is JSP&servelet web app SQL Injection Free?
From: Phillip Ames <pentest () una-cerveza com>
Date: Tue, 06 Jan 2009 02:22:32 -0500
JarodZZ,JSP & Servlet web applications are most definitely vulnerable to SQL injection attacks. Just as with PHP/ASP, the developer may opt to construct SQL queries based on user input. However, Java (like PHP5/ASP.NET) also allows for the use of what are called prepared statements, where the developer would write something like:
String sql = "SELECT * FROM table WHERE field = ?";The '?' is a placeholder character that is then 'bound' to user input. By using the placeholder, when the query is executed, the database is able to differentiate between user input and the query that the developer wrote.
In short, no, Java is not any more or less invulnerable to SQL injection attacks, it is simply a matter of whether the developer is using the features of the language to protect against that type of attack.
You may find some more useful information here to understand how the attack/defense works in Java:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java HTH, -Phil salamond wrote: > Hi, all. > > I'm new to pen-testing. > > Just finished my tour with a couple of tools: > webscarab > sqlmap > ratproxy > > But it shows OK for every page that I've been through. > > I went through a couple of SQL Injection tutorial, and most of them > are focusing on > php or asp pages. > > So here's my question, it may sound stupid, but > is there no SQL Injection problems in JSP&Java sevelet web app? > > thanks > > JarodZZ > > salamond wrote:
Hi, all. I'm new to pen-testing. Just finished my tour with a couple of tools: webscarab sqlmap ratproxy But it shows OK for every page that I've been through. I went through a couple of SQL Injection tutorial, and most of them are focusing on php or asp pages. So here's my question, it may sound stupid, but is there no SQL Injection problems in JSP&Java sevelet web app? thanks JarodZZ
Current thread:
- is JSP&servelet web app SQL Injection Free? salamond (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? Phillip Ames (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? Taufiq Ali (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? Frank Fan (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? ArcSighter Elite (Jan 06)
- Re: is JSP&servelet web app SQL Injection Free? David Howe (Jan 06)