WebApp Sec mailing list archives
Re: Re: JDBC protections against SQL Injection
From: jjs_ritasa () verizon net
Date: 19 Mar 2009 05:04:24 -0000
I just posted a blog on this thread at: http://realeyes-tech.blogspot.com/2009/03/database-security.html It covers what JDBC does for you security-wise (almost nothing), what I think the solution should be, and points you toward what I have done in my application's UI. If anyone has any more ideas, I would welcome them. Later . . . Jim http://realeyes.sourceforge.net/ ????? * wrote:
Hey, This preach is applicable for any programming language. It all depends on how well you have done input & output validation. As in what input you expect & what input is malicious for your app. If all goes well you can make SQL injection very difficult or even impossible . The reason I say difficult, because it all depends on how well the SQL injection is crafted. As far as I recollect I don't think JDBC or for that case even java gives you predefined class for doing that. But there is quite a possibility that some one on the internet must have surely written these classes. -- Taufiq http://www.niiconsulting.com/products/iso_toolkit.html 2009/3/16 <lister () lihim org>:I've heard this preached before. Using JDBC properly can help protect against SQL Injection. What protections does JDBC provide? Does java encode the input to not be malicious? I'm curious where in the java source/libraries does jdbc help to mitigate malicious input when using jdbc.
Current thread:
- JDBC protections against SQL Injection lister (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection private private (Mar 17)
- RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- <Possible follow-ups>
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
- Re: Re: JDBC protections against SQL Injection lister (Mar 19)
- Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
- Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
- Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
- RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)