WebApp Sec mailing list archives

RE: JDBC protections against SQL Injection

From: "Jeff Williams" <planetlevel () gmail com>
Date: Thu, 26 Mar 2009 09:09:01 -0400

There was a pretty full discussion of the JDBC spec and escaping related to
PreparedStatements back in 2003. Essentially, the spec does *not* guarantee
any sort of escaping and therefore SQL injection protection.  It's just
lucky that it appears to be done in many database drivers. Note that for
databases with support for a native parameterized interface, the driver can
use that without escaping.  http://seclists.org/webappsec/2003/q1/0003.html.
If you're interested in doing the escaping yourself, ESAPI has codecs for
MySQL and Oracle.  If anyone knows the exact rules for SQLServer, I'd like
to get that codec done too.

Thanks,

--Jeff

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Rohit Sethi
Sent: Monday, March 23, 2009 10:39 PM
To: Florian Weimer
Cc: lister () lihim org; webappsec () securityfocus com
Subject: Re: JDBC protections against SQL Injection

You'll be interested in this:
http://www.google.com/codesearch/p?hl=en#OzTl4d0Z71Q/mysql-connector-
java-3.0.11-
stable/com/mysql/jdbc/PreparedStatement.java&q=PreparedStatement%20lang
:java%20mysql

This is the implementation of the PreparedStatement interface for
MySQL. Note the setString() method that escapes several interpreted
characters. Conceivable somebody can write a driver that fails to
properly implement this kind of method

Cheers,

Rohit

On Thu, Mar 19, 2009 at 4:03 PM, Florian Weimer <fw () deneb enyo de>
wrote:

Being paranoid, I wanted to review the source in java and find the
area where the input is "escaped" to see how they handle the

protections

in implementation rather than blindly trust someone saying "just use

...

it will protect against SQL injection".


It's in the JDBC driver.  Escaping is database-specific, so only the
driver knows how to do it properly.




--
Rohit Sethi
Security Compass
http://www.securitycompass.com

Current thread:

Re: JDBC protections against SQL Injection, (continued)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
  - Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
    - Re: JDBC protections against SQL Injection private private (Mar 17)
    - RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
  - Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
    - Re: Re: JDBC protections against SQL Injection lister (Mar 19)
    - Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
    - Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
    - Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
    - RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 19)