WebApp Sec mailing list archives
RE: JDBC protections against SQL Injection
From: "Jeff Williams" <planetlevel () gmail com>
Date: Thu, 26 Mar 2009 09:09:01 -0400
There was a pretty full discussion of the JDBC spec and escaping related to PreparedStatements back in 2003. Essentially, the spec does *not* guarantee any sort of escaping and therefore SQL injection protection. It's just lucky that it appears to be done in many database drivers. Note that for databases with support for a native parameterized interface, the driver can use that without escaping. http://seclists.org/webappsec/2003/q1/0003.html. If you're interested in doing the escaping yourself, ESAPI has codecs for MySQL and Oracle. If anyone knows the exact rules for SQLServer, I'd like to get that codec done too. Thanks, --Jeff
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Rohit Sethi Sent: Monday, March 23, 2009 10:39 PM To: Florian Weimer Cc: lister () lihim org; webappsec () securityfocus com Subject: Re: JDBC protections against SQL Injection You'll be interested in this: http://www.google.com/codesearch/p?hl=en#OzTl4d0Z71Q/mysql-connector- java-3.0.11- stable/com/mysql/jdbc/PreparedStatement.java&q=PreparedStatement%20lang :java%20mysql This is the implementation of the PreparedStatement interface for MySQL. Note the setString() method that escapes several interpreted characters. Conceivable somebody can write a driver that fails to properly implement this kind of method Cheers, Rohit On Thu, Mar 19, 2009 at 4:03 PM, Florian Weimer <fw () deneb enyo de> wrote:Being paranoid, I wanted to review the source in java and find the area where the input is "escaped" to see how they handle theprotectionsin implementation rather than blindly trust someone saying "just use...it will protect against SQL injection".It's in the JDBC driver. Escaping is database-specific, so only the driver knows how to do it properly.-- Rohit Sethi Security Compass http://www.securitycompass.com
Current thread:
- Re: JDBC protections against SQL Injection, (continued)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection private private (Mar 17)
- RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
- Re: Re: JDBC protections against SQL Injection lister (Mar 19)
- Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
- Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
- Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
- RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)