WebApp Sec mailing list archives
Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 30 Dec 2002 18:14:39 -0500
I dunno about that. Impossible is such a big word, and I've seen SQL Injection successfully done at least few times against a stored procedure. You should put your sample apps on a web site somewhere so people can knock it around a bit. Dave Aitel Immunity, Inc. http://www.immunitysec.com/CANVAS/ (Remote SQL Server exploits make SQL Injection even more fun than usual!) On Mon, 30 Dec 2002 17:32:13 -0500 "Kevin Spett" <kspett () spidynamics com> wrote:
The use of prepared statements and stored procedures makes SQL injection impossible. A prepared statement is compiled before the user input is added to the SQL statement, effectively making it impossible to execute the client-supplied data because it is never compiled. There was a thread about this a couple of months back on this list, here's the first post: http://archives.neohapsis.com/archives/sf/www-mobile/2002-q3/0105.html Have a fun and securely programmed new year, everyone. Kevin Spett SPI Labs http://www.spidynamics.com ----- Original Message ----- From: "Christopher Todd" <chris () christophertodd com> To: <webappsec () securityfocus com> Sent: Monday, December 30, 2002 3:29 PM Subject: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL InjectionI am working on the Java language section of the OWASP Guide to SecuringWebApplications, and I have a question for the list. Have any of you eliteSQLInjectors ever been able to hack an application that was using JDBC PreparedStatements? Are any of you aware of a theoretical reason this should be impossible? I have tried, and been unsuccessful, to perform SQL injection on an example app I coded up, but then again, I am not theworld'smost talented SQL Injector. On another note, have any of you ever successfully used SQL Injection against a web app that was using Castor JDO, or other similar Object-Relational mapping tools? Again, I have tried to attack an example app I coded up and failed. Same question - is it theoretically impossible to execute SQL injection against apps coded using these techniques and tools? I ask these questions because I think these two techniques can be used effectively to thwart (or at least make more difficult) SQL injection attacks against Java-based web apps, but I want to validate that belief to the best extent I can prior to putting such statements into the Guide. Thanks in advance for any help you can provide, as it will improve the quality and usefullness of the Guide. Chris
Current thread:
- JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Christopher Todd (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Jeff Williams @ Aspect (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- <Possible follow-ups>
- RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Michael Howard (Dec 31)
- RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Christopher Todd (Dec 31)