[thelist] JSF, JSP and SQL Injection

sbeam sbeam at onsetcorps.net
Wed Jan 19 11:50:53 CST 2005


On Wednesday 19 January 2005 11:59 am, RUST Randal wrote:
> > Why can't SQL injection occur in a prepared statement? Are 
> > they validating the data at that level? The sounds awfully 
> > specious to me.
> 
> My suspicion is that they are not validating at all, and just letting
> everything pass through.

If, by "validating", you mean escaping any characters that could cause a 
break in a constructed SQL statement (ie the single quote) - then your 
devs are right.

Actually using prepare()/execute() APIs are probably the best way to 
avoid SQL injection, whether in perl's DBI, JDBC, PEAR::DB, ADODB, etc. 
If you are used to calling addslashes() in PHP, it might seem crazy but 
there are some more sophisticated ways to go about it which also can 
increase performance and db-independence:

some light reading:
http://pear.php.net/manual/en/package.database.db.intro-execute.php
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
or just
http://www.google.com/search?hl=en&lr=&q=prepared+statements+SQL+injection

Anyone who creates ad-hoc SQL statements should be aware of this.


-- 

# S Beam - Web App Dev Servs
# http://www.onsetcorps.net/


More information about the thelist mailing list