WebApp Sec mailing list archives
JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection
From: Christopher Todd <chris () christophertodd com>
Date: Mon, 30 Dec 2002 15:29:26 -0500
I am working on the Java language section of the OWASP Guide to Securing Web Applications, and I have a question for the list. Have any of you elite SQL Injectors ever been able to hack an application that was using JDBC PreparedStatements? Are any of you aware of a theoretical reason this should be impossible? I have tried, and been unsuccessful, to perform SQL injection on an example app I coded up, but then again, I am not the world's most talented SQL Injector. On another note, have any of you ever successfully used SQL Injection against a web app that was using Castor JDO, or other similar Object-Relational mapping tools? Again, I have tried to attack an example app I coded up and failed. Same question - is it theoretically impossible to execute SQL injection against apps coded using these techniques and tools? I ask these questions because I think these two techniques can be used effectively to thwart (or at least make more difficult) SQL injection attacks against Java-based web apps, but I want to validate that belief to the best extent I can prior to putting such statements into the Guide. Thanks in advance for any help you can provide, as it will improve the quality and usefullness of the Guide. Chris
Current thread:
- JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Christopher Todd (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Jeff Williams @ Aspect (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- <Possible follow-ups>
- RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Michael Howard (Dec 31)
- RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Christopher Todd (Dec 31)