|
|
Web Application Security
JDBC protections against SQL Injection Mar 16 2009 04:50PM lister lihim org (1 replies) Re: JDBC protections against SQL Injection Mar 17 2009 04:32AM Ï?â??Ï?Æ?ιÏ? * (tas0584 gmail com) (1 replies) Re: JDBC protections against SQL Injection Mar 17 2009 05:00AM Marc-André Laverdière (marc-andre atc tcs com) (1 replies) Re: JDBC protections against SQL Injection Mar 17 2009 10:00AM private private (securecure gmail com) (1 replies) |
|
Privacy Statement |
http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
This is the 2nd article in this series, and it discusses all this in some detail in a language independent manner, but gives some examples in Java and .NET.
-Dave
p.s. The first article, written by Jeff Williams, is: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Che
at_Sheet
I'd encourage you to all check this out as well. The XSS Prevention Cheat Sheet provide THE MOST CONCRETE recommendations for avoiding XSS that I have ever seen.
p.p.s. If anyone want to volunteer to write other articles in the new OWASP Prevention Cheat Sheet Series, please let me and Jeff know.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of private private
Sent: Tuesday, March 17, 2009 6:00 AM
To: Marc-André Laverdière; tas0584 (at) googlemail (dot) com [email concealed]; lister (at) lihim (dot) org [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
Subject: Re: JDBC protections against SQL Injection
I know that if you use a parameterized command object in .Net it
mitigates sql injection on sql server for instance by calling
sp_executesql on the server passing in each sqlparameter object
escaped. The parameter objects are also typed checked before being
escaped adding additional security.
.Net also has prepare command on the .Net object this will validate
that the sqlcommand is valid according to the database schema and
requires an open connection to the database.
On 3/17/09, Marc-André Laverdière <marc-andre (at) atc.tcs (dot) com [email concealed]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good morning everyone,
>
> The Java PreparedStatement class is there for you:
> http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
>
> - --
> Marc-André Laverdière
> Software Security Scientist
> Innovation Labs, Tata Consultancy Services
> Hyderabad, India
>
> Ï?â??Ï?Æ?ιÏ? * wrote:
>> Hey,
>>
>> This preach is applicable for any programming language. It all depends
>> on how well you have done input & output validation. As in what input
>> you expect & what input is malicious for your app. If all goes well
>> you can make SQL injection very difficult or even impossible . The
>> reason I say difficult, because it all depends on how well the SQL
>> injection is crafted. As far as I recollect I don't think JDBC or for
>> that case even java gives you predefined class for doing that. But
>> there is quite a possibility that some one on the internet must have
>> surely written these classes.
>>
>> --
>> Taufiq
>> http://www.niiconsulting.com/products/iso_toolkit.html
>>
>>
>>
>> 2009/3/16 <lister (at) lihim (dot) org [email concealed]>:
>>> I've heard this preached before.
>>>
>>> Using JDBC properly can help protect against SQL Injection.
>>>
>>> What protections does JDBC provide?
>>>
>>> Does java encode the input to not be malicious?
>>>
>>> I'm curious where in the java source/libraries does jdbc help
>>> to mitigate malicious input when using jdbc.
>>>
>>>
>>>
>>>
>>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkm/LnIACgkQ1pcTV+tDOi4SCQCff3iHEl6I3C7vkziCUPjP1k0u
> oCgAoJL659OG2pHXV9C+vgScbfdjXmXl
> =DEaD
> -----END PGP SIGNATURE-----
>
>
>
--
Sent from my mobile device
[ reply ]