RE: JDBC protections against SQL Injection

["Dave Wichers" <dave.wichers () aspectsecurity com>]

This is a great thread to give me the opportunity to announce my contribution to the OWASP Prevention Cheat Sheet 
Series:

http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

This is the 2nd article in this series, and it discusses all this in some detail in a language independent manner, but 
gives some examples in Java and .NET.

-Dave

p.s. The first article, written by Jeff Williams, is: 
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 

I'd encourage you to all check this out as well. The XSS Prevention Cheat Sheet provide THE MOST CONCRETE 
recommendations for avoiding XSS that I have ever seen.

p.p.s. If anyone want to volunteer to write other articles in the new OWASP Prevention Cheat Sheet Series, please let 
me and Jeff know.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of private private
Sent: Tuesday, March 17, 2009 6:00 AM
To: Marc-André Laverdière; tas0584 () googlemail com; lister () lihim org; webappsec () securityfocus com
Subject: Re: JDBC protections against SQL Injection

I know that if you use a parameterized  command object in .Net it
mitigates sql injection on sql server for instance by calling
sp_executesql on the server passing in each sqlparameter object
escaped. The parameter objects are also typed checked before being
escaped adding additional security.

.Net also has prepare command on the .Net object this will validate
that the sqlcommand is valid according to the database schema and
requires an open connection to the database.

On 3/17/09, Marc-André Laverdière <marc-andre () atc tcs com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good morning everyone,
>
> The Java PreparedStatement class is there for you:
> http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
>
> - --
> Marc-André Laverdière
> Software Security Scientist
> Innovation Labs, Tata Consultancy Services
> Hyderabad, India
>
> τ∂υƒιφ * wrote:
> > Hey,
> >
> > This preach is applicable for any programming language. It all depends
> > on how well you have done input & output validation. As in what input
> > you expect & what input is malicious for your app. If all goes well
> > you can make SQL injection very difficult or even impossible . The
> > reason I say difficult, because it all depends on how well the SQL
> > injection is crafted. As far as I recollect I don't think JDBC or for
> > that case even java gives you predefined class for doing that. But
> > there is quite a possibility that some one on the internet must have
> > surely written these classes.
> >
> > --
> > Taufiq
> > http://www.niiconsulting.com/products/iso_toolkit.html
> >
> >
> >
> > 2009/3/16  <lister () lihim org>:
> > > I've heard this preached before.
> > >
> > > Using JDBC properly can help protect against SQL Injection.
> > >
> > > What protections does JDBC provide?
> > >
> > > Does java encode the input to not be malicious?
> > >
> > > I'm curious where in the java source/libraries does jdbc help
> > > to mitigate malicious input when using jdbc.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkm/LnIACgkQ1pcTV+tDOi4SCQCff3iHEl6I3C7vkziCUPjP1k0u
> oCgAoJL659OG2pHXV9C+vgScbfdjXmXl
> =DEaD
> -----END PGP SIGNATURE-----

-- 
Sent from my mobile device