[thelist] JSF, JSP and SQL Injection
sbeam
sbeam at onsetcorps.net
Wed Jan 19 11:50:53 CST 2005
On Wednesday 19 January 2005 11:59 am, RUST Randal wrote:
> > Why can't SQL injection occur in a prepared statement? Are
> > they validating the data at that level? The sounds awfully
> > specious to me.
>
> My suspicion is that they are not validating at all, and just letting
> everything pass through.
If, by "validating", you mean escaping any characters that could cause a
break in a constructed SQL statement (ie the single quote) - then your
devs are right.
Actually using prepare()/execute() APIs are probably the best way to
avoid SQL injection, whether in perl's DBI, JDBC, PEAR::DB, ADODB, etc.
If you are used to calling addslashes() in PHP, it might seem crazy but
there are some more sophisticated ways to go about it which also can
increase performance and db-independence:
some light reading:
http://pear.php.net/manual/en/package.database.db.intro-execute.php
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
or just
http://www.google.com/search?hl=en&lr=&q=prepared+statements+SQL+injection
Anyone who creates ad-hoc SQL statements should be aware of this.
--
# S Beam - Web App Dev Servs
# http://www.onsetcorps.net/
More information about the thelist
mailing list