Penetration Testing mailing list archives
Re: is JSP&servelet web app SQL Injection Free?
From: ArcSighter Elite <arcsighter () gmail com>
Date: Tue, 06 Jan 2009 08:52:37 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Fan wrote:
Of course not! In fact it has nothing to do with language, but with how app deal with paras etc, most app has problems we found are JSP and asp. Best! Frank On Mon, Jan 5, 2009 at 4:28 PM, salamond <jarodzz () gmail com> wrote:Hi, all. I'm new to pen-testing. Just finished my tour with a couple of tools: webscarab sqlmap ratproxy But it shows OK for every page that I've been through. I went through a couple of SQL Injection tutorial, and most of them are focusing on php or asp pages. So here's my question, it may sound stupid, but is there no SQL Injection problems in JSP&Java sevelet web app? thanks JarodZZ
What a question! SQL injection is an issue derived of input validation. No language or implementation can free the programmer of non-properly validate the user input for malicious cases. They could only pose features that help the programmer with such task, such as parameterized queries or stored procedures. If the creator doesn't use this features properly; of course sqlinj is possible. The issue is not an implementation flaw, so JDBC/ADO/Linq/DBM or whatever not pose the problem, is the programmers who misuse these technologies who introduce the vulnerability in the web apps. Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJY2IkH+KgkfcIQ8cRApP3AKDjth/UDMUUPH84lc7tTitqn+91NACg2aGi VCpXt9aaHRNkfEcwQ7ZRVmQ= =V2kC -----END PGP SIGNATURE-----
Current thread:
- is JSP&servelet web app SQL Injection Free? salamond (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? Phillip Ames (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? Taufiq Ali (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? Frank Fan (Jan 05)
- Re: is JSP&servelet web app SQL Injection Free? ArcSighter Elite (Jan 06)
- Re: is JSP&servelet web app SQL Injection Free? David Howe (Jan 06)