WebApp Sec mailing list archives
Re: Re: Re: JDBC protections against SQL Injection
From: jjs_ritasa () verizon net
Date: 19 Mar 2009 17:58:13 -0000
I have seen and responded to the comments. I spent some time this morning testing the PreparedStatement interface, and it does handle the special character issue. I posted an update to the OP which includes this link (http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java) to the OWASP page discussing preventing SQL injections in Java apps. While I am strongly opposed to the 'Ready, Fire, Aim' procedure that I just followed, the reason this was such a hot button issue for me is that I have revisited it several times during development and testing. And the javadoc doesn't say anything about the security aspects of the methods. The main use it gives for Prepared Statements is for efficiency. So my app is currently using the Statement.execute___ methods, which do no input parsing. And that leads to the question, why don't the Statement execute methods call the same parser that the PreparedStatement interface uses? If there are multiple ways of executing SQL statements, some of which are more secure than others, isn't that just begging for insecure code? Later . . . Jim
Current thread:
- Re: JDBC protections against SQL Injection, (continued)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection private private (Mar 17)
- RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
- Re: Re: JDBC protections against SQL Injection lister (Mar 19)
- Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
- Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
- Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
- RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)