WebApp Sec mailing list archives
RE: JDBC protections against SQL Injection
From: "Dave Wichers" <dave.wichers () aspectsecurity com>
Date: Tue, 17 Mar 2009 10:00:15 -0400
This is a great thread to give me the opportunity to announce my contribution to the OWASP Prevention Cheat Sheet Series: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet This is the 2nd article in this series, and it discusses all this in some detail in a language independent manner, but gives some examples in Java and .NET. -Dave p.s. The first article, written by Jeff Williams, is: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet I'd encourage you to all check this out as well. The XSS Prevention Cheat Sheet provide THE MOST CONCRETE recommendations for avoiding XSS that I have ever seen. p.p.s. If anyone want to volunteer to write other articles in the new OWASP Prevention Cheat Sheet Series, please let me and Jeff know. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of private private Sent: Tuesday, March 17, 2009 6:00 AM To: Marc-André Laverdière; tas0584 () googlemail com; lister () lihim org; webappsec () securityfocus com Subject: Re: JDBC protections against SQL Injection I know that if you use a parameterized command object in .Net it mitigates sql injection on sql server for instance by calling sp_executesql on the server passing in each sqlparameter object escaped. The parameter objects are also typed checked before being escaped adding additional security. .Net also has prepare command on the .Net object this will validate that the sqlcommand is valid according to the database schema and requires an open connection to the database. On 3/17/09, Marc-André Laverdière <marc-andre () atc tcs com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning everyone, The Java PreparedStatement class is there for you: http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java - -- Marc-André Laverdière Software Security Scientist Innovation Labs, Tata Consultancy Services Hyderabad, India τ∂υƒιφ * wrote:Hey, This preach is applicable for any programming language. It all depends on how well you have done input & output validation. As in what input you expect & what input is malicious for your app. If all goes well you can make SQL injection very difficult or even impossible . The reason I say difficult, because it all depends on how well the SQL injection is crafted. As far as I recollect I don't think JDBC or for that case even java gives you predefined class for doing that. But there is quite a possibility that some one on the internet must have surely written these classes. -- Taufiq http://www.niiconsulting.com/products/iso_toolkit.html 2009/3/16 <lister () lihim org>:I've heard this preached before. Using JDBC properly can help protect against SQL Injection. What protections does JDBC provide? Does java encode the input to not be malicious? I'm curious where in the java source/libraries does jdbc help to mitigate malicious input when using jdbc.-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm/LnIACgkQ1pcTV+tDOi4SCQCff3iHEl6I3C7vkziCUPjP1k0u oCgAoJL659OG2pHXV9C+vgScbfdjXmXl =DEaD -----END PGP SIGNATURE-----
-- Sent from my mobile device
Current thread:
- JDBC protections against SQL Injection lister (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection private private (Mar 17)
- RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- <Possible follow-ups>
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
- Re: Re: JDBC protections against SQL Injection lister (Mar 19)
- Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
- Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
- Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
- RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)