WebApp Sec mailing list archives
Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection
From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 30 Dec 2002 17:32:13 -0500
The use of prepared statements and stored procedures makes SQL injection impossible. A prepared statement is compiled before the user input is added to the SQL statement, effectively making it impossible to execute the client-supplied data because it is never compiled. There was a thread about this a couple of months back on this list, here's the first post: http://archives.neohapsis.com/archives/sf/www-mobile/2002-q3/0105.html Have a fun and securely programmed new year, everyone. Kevin Spett SPI Labs http://www.spidynamics.com ----- Original Message ----- From: "Christopher Todd" <chris () christophertodd com> To: <webappsec () securityfocus com> Sent: Monday, December 30, 2002 3:29 PM Subject: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection
I am working on the Java language section of the OWASP Guide to Securing
Web
Applications, and I have a question for the list. Have any of you elite
SQL
Injectors ever been able to hack an application that was using JDBC PreparedStatements? Are any of you aware of a theoretical reason this should be impossible? I have tried, and been unsuccessful, to perform SQL injection on an example app I coded up, but then again, I am not the
world's
most talented SQL Injector. On another note, have any of you ever successfully used SQL Injection against a web app that was using Castor JDO, or other similar Object-Relational mapping tools? Again, I have tried to attack an example app I coded up and failed. Same question - is it theoretically impossible to execute SQL injection against apps coded using these techniques and tools? I ask these questions because I think these two techniques can be used effectively to thwart (or at least make more difficult) SQL injection attacks against Java-based web apps, but I want to validate that belief to the best extent I can prior to putting such statements into the Guide. Thanks in advance for any help you can provide, as it will improve the quality and usefullness of the Guide. Chris
Current thread:
- JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Christopher Todd (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Jeff Williams @ Aspect (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Dave Aitel (Dec 30)
- Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Kevin Spett (Dec 30)
- <Possible follow-ups>
- RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Michael Howard (Dec 31)
- RE: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection Christopher Todd (Dec 31)