WebApp Sec mailing list archives
Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection
From: "Sverre H. Huseby" <shh () thathost com>
Date: Sat, 4 Jan 2003 23:15:34 +0100
[Jeff Williams @ Aspect] | Now just to be clear, I think using PreparedStatements is a good | idea. But since the spec doesn't provide any meaningful protection | against SQL injection, I think anyone using JDBC ought to do their | own protection. I can't see how they would do that. If they start doubling quotes, and the JDBC driver behaves as I would expect, the database suddenly contains strings with double quotes in them. I haven't read the latest JDBC spec [1], but the 1.4.1 doc for PreparedStatement.setString(int, String) states that: Sets the designated parameter to the given Java String value. The driver converts this to an SQL VARCHAR or LONGVARCHAR value (depending on the argument's size relative to the driver's limits on VARCHAR values) when it sends it to the database. If quotes may be used to do SQL Injection using this method, I think the implementation is _not_ according to the documentation. In that case, as I see it, the driver is not converting the string to a VARCHAR or LONGVARCHAR value: Only parts of the string will be a VARCHAR value, the rest will be SQL terms. Hence, the string is not converted to a VARCHAR (or LONGVARCHAR). I wouldn't be amazed if I found that a new JDBC driver failed to handle metacharacters, but I don't think the application programmer should care much, other than checking that quotes and any other metacharacter are handled correctly before using the driver. If troublesome characters are not handled correctly, then shame on the driver programmers, IMNSHO. I just took a look at the mentioned setString method of the latest (stable) JDBC driver for both MySQL and PostgreSQL. The MySQL version contains this: for (i = 0; i < x.length(); ++i) { char c = x.charAt(i); if (c == '\\' || c == '\'' || c == '"') { B.append((char) '\\'); } B.append(c); } The PostgreSQL version contains this: for (i = 0 ; i < x.length() ; ++i) { char c = x.charAt(i); if (c == '\\' || c == '\'') sbuf.append((char)'\\'); sbuf.append(c); } Makes you wonder if they were written by the same person. :) At least, it looks like both handle the metacharacters as I would expect after reading about the VARCHAR conversion in the docs. Sverre. [1] I read the JDBC 1.0 spec when I implemented my own JDBC driver for PostgreSQL some years back. The spec left far too much to be decided by the implementor. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Jan 03)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Jan 03)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Jan 03)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Jeff Williams @ Aspect (Jan 03)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Sverre H. Huseby (Jan 04)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Jan 03)