[thelist] JSF, JSP and SQL Injection

Hassan Schroeder hassan at webtuitive.com
Wed Jan 19 11:36:15 CST 2005


Jay Blanchard wrote:
> [snip]
> Our development team has told me that we don't need to validate user
> input in our application because the values are all passed to prepared
> statements. Because of this, SQL injection cannot occur.
> [/snip]
> 
> What the development team said is BAD[tm]. That makses them potentially
> EVIL[tm].
> 
> Why can't SQL injection occur in a prepared statement? Are they
> validating the data at that level? 

Yes. That's one purpose of a Prepared Statement -- separating data
from command syntax. Look at the source of your JDBC driver if you
don't believe it.

That said, there's nothing *wrong* with validating input on the front
end to add an extra layer of security, forestall exceptions if/when
there's a datatype mismatch, etc.

Your decision to validate on the front end depends on your level of
paranoia and/or trust in your JDBC driver vendor, I suppose :-)

-- 
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com

                           dream.  code.




More information about the thelist mailing list