[thelist] JSF, JSP and SQL Injection
Hassan Schroeder
hassan at webtuitive.com
Wed Jan 19 11:36:15 CST 2005
Jay Blanchard wrote:
> [snip]
> Our development team has told me that we don't need to validate user
> input in our application because the values are all passed to prepared
> statements. Because of this, SQL injection cannot occur.
> [/snip]
>
> What the development team said is BAD[tm]. That makses them potentially
> EVIL[tm].
>
> Why can't SQL injection occur in a prepared statement? Are they
> validating the data at that level?
Yes. That's one purpose of a Prepared Statement -- separating data
from command syntax. Look at the source of your JDBC driver if you
don't believe it.
That said, there's nothing *wrong* with validating input on the front
end to add an extra layer of security, forestall exceptions if/when
there's a datatype mismatch, etc.
Your decision to validate on the front end depends on your level of
paranoia and/or trust in your JDBC driver vendor, I suppose :-)
--
Hassan Schroeder ----------------------------- hassan at webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
More information about the thelist
mailing list