Web Application Security
JDBC protections against SQL Injection Mar 16 2009 04:50PM
lister lihim org (1 replies)
Re: JDBC protections against SQL Injection Mar 17 2009 04:32AM
Ï?â??Ï?Æ?ιÏ? * (tas0584 gmail com) (1 replies)
Re: JDBC protections against SQL Injection Mar 17 2009 05:00AM
Marc-André Laverdière (marc-andre atc tcs com) (1 replies)
Re: JDBC protections against SQL Injection Mar 17 2009 10:00AM
private private (securecure gmail com) (1 replies)
I know that if you use a parameterized command object in .Net it
mitigates sql injection on sql server for instance by calling
sp_executesql on the server passing in each sqlparameter object
escaped. The parameter objects are also typed checked before being
escaped adding additional security.

.Net also has prepare command on the .Net object this will validate
that the sqlcommand is valid according to the database schema and
requires an open connection to the database.

On 3/17/09, Marc-André Laverdière <marc-andre (at) atc.tcs (dot) com [email concealed]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good morning everyone,
>
> The Java PreparedStatement class is there for you:
> http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
>
> - --
> Marc-André Laverdière
> Software Security Scientist
> Innovation Labs, Tata Consultancy Services
> Hyderabad, India
>
> Ï?â??Ï?Æ?ιÏ? * wrote:
>> Hey,
>>
>> This preach is applicable for any programming language. It all depends
>> on how well you have done input & output validation. As in what input
>> you expect & what input is malicious for your app. If all goes well
>> you can make SQL injection very difficult or even impossible . The
>> reason I say difficult, because it all depends on how well the SQL
>> injection is crafted. As far as I recollect I don't think JDBC or for
>> that case even java gives you predefined class for doing that. But
>> there is quite a possibility that some one on the internet must have
>> surely written these classes.
>>
>> --
>> Taufiq
>> http://www.niiconsulting.com/products/iso_toolkit.html
>>
>>
>>
>> 2009/3/16 <lister (at) lihim (dot) org [email concealed]>:
>>> I've heard this preached before.
>>>
>>> Using JDBC properly can help protect against SQL Injection.
>>>
>>> What protections does JDBC provide?
>>>
>>> Does java encode the input to not be malicious?
>>>
>>> I'm curious where in the java source/libraries does jdbc help
>>> to mitigate malicious input when using jdbc.
>>>
>>>
>>>
>>>
>>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkm/LnIACgkQ1pcTV+tDOi4SCQCff3iHEl6I3C7vkziCUPjP1k0u
> oCgAoJL659OG2pHXV9C+vgScbfdjXmXl
> =DEaD
> -----END PGP SIGNATURE-----
>
>
>

--
Sent from my mobile device

[ reply ]
RE: JDBC protections against SQL Injection Mar 17 2009 02:00PM
Dave Wichers (dave wichers aspectsecurity com)


 

Privacy Statement
Copyright 2010, SecurityFocus