Re: JDBC protections against SQL Injection

[Marc-André Laverdière <marc-andre () atc tcs com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good morning everyone,

The Java PreparedStatement class is there for you:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java

- --
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

τ∂υƒιφ * wrote:
> Hey,
>
> This preach is applicable for any programming language. It all depends
> on how well you have done input & output validation. As in what input
> you expect & what input is malicious for your app. If all goes well
> you can make SQL injection very difficult or even impossible . The
> reason I say difficult, because it all depends on how well the SQL
> injection is crafted. As far as I recollect I don't think JDBC or for
> that case even java gives you predefined class for doing that. But
> there is quite a possibility that some one on the internet must have
> surely written these classes.
>
> --
> Taufiq
> http://www.niiconsulting.com/products/iso_toolkit.html
>
>
>
> 2009/3/16  <lister () lihim org>:
> > I've heard this preached before.
> >
> > Using JDBC properly can help protect against SQL Injection.
> >
> > What protections does JDBC provide?
> >
> > Does java encode the input to not be malicious?
> >
> > I'm curious where in the java source/libraries does jdbc help
> > to mitigate malicious input when using jdbc.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkm/LnIACgkQ1pcTV+tDOi4SCQCff3iHEl6I3C7vkziCUPjP1k0u
oCgAoJL659OG2pHXV9C+vgScbfdjXmXl
=DEaD
-----END PGP SIGNATURE-----