JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

[Christopher Todd <chris () christophertodd com>]

I am working on the Java language section of the OWASP Guide to Securing Web
Applications, and I have a question for the list.  Have any of you elite SQL
Injectors ever been able to hack an application that was using JDBC
PreparedStatements?  Are any of you aware of a theoretical reason this
should be impossible?  I have tried, and been unsuccessful, to perform SQL
injection on an example app I coded up, but then again, I am not the world's
most talented SQL Injector.

On another note, have any of you ever successfully used SQL Injection
against a web app that was using Castor JDO, or other similar
Object-Relational mapping tools?  Again, I have tried to attack an example
app I coded up and failed.  Same question - is it theoretically impossible
to execute SQL injection against apps coded using these techniques and
tools?

I ask these questions because I think these two techniques can be used
effectively to thwart (or at least make more difficult) SQL injection
attacks against Java-based web apps, but I want to validate that belief to
the best extent I can prior to putting such statements into the Guide.
Thanks in advance for any help you can provide, as it will improve the
quality and usefullness of the Guide.

Chris