WebApp Sec mailing list archives

RE: tips to secure a web application

From: "Andy Gordon" <adg () microsoft com>
Date: Fri, 20 Feb 2004 10:38:19 -0000

From: .Saphyr [mailto:saphyr () infomaniak ch] 
Sent: 20 February 2004 02:36
To: webappsec () securityfocus com
Subject: Re: tips to secure a web application
You do not have fewer risks by using jdbc support for 
database communication. SQL injection flaws are related to an 
upper layer: 
the sql language, as jdbc only gives you a wrapper to access 
many database providers (sql 2000, oracle, odbc, ...). 

You can however mitigate a lot the sql/command injection 
flaws by using the prepared statements classes (precompiled 
sql requests on which only parameters are added at runtime) 
with jdbc. 

For more information , just google 'java prepared statements'.


Are there any libraries for constructing queries from untrusted inputs
such as parameters to web apps, that send text-based SQL to the
database, and that automatically filter the input (eg using regexps) to
prevent SQL injection attacks?  In particular, do these prepared
statement libraries filter out inputs that include quotes and other
nasties, by default?

Andy

Current thread:

tips to secure a web application ermelir (Feb 18)
- <Possible follow-ups>
- RE: tips to secure a web application Leung, Annie LDB:EX (Feb 19)
  - Re: tips to secure a web application ermelir (Feb 19)
  - Re: tips to secure a web application .Saphyr (Feb 19)
- RE: tips to secure a web application Lars Troen (Feb 19)
  - Re: tips to secure a web application Martin Tsachev (Feb 20)
- RE: tips to secure a web application Andy Gordon (Feb 20)
  - Re: tips to secure a web application .Saphyr (Feb 20)
- Re: tips to secure a web application .Saphyr (Feb 22)