Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL Injection

["Kevin Spett" <kspett () spidynamics com>]

Stored procedures by themselves do not provide protection, sorry if I worded
that poorly.  Prepared statements, *combined* with prepared statements do,
which is how I meant that statement to be interpereted.  Of course,
"impossible" should be taken with a grain of salt.


Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Dave Aitel" <dave () immunitysec com>
To: <webappsec () securityfocus com>
Sent: Monday, December 30, 2002 6:14 PM
Subject: Re: JDBC PreparedStatements, Java Data Objects/O-R mapping, and SQL
Injection


> I dunno about that. Impossible is such a big word, and I've seen SQL
> Injection successfully done at least few times against a stored
> procedure.
>
> You should put your sample apps on a web site somewhere so people can
> knock it around a bit.
>
> Dave Aitel
> Immunity, Inc.
> http://www.immunitysec.com/CANVAS/ (Remote SQL Server exploits make SQL
> Injection even more fun than usual!)
>
>
> On Mon, 30 Dec 2002 17:32:13 -0500
> "Kevin Spett" <kspett () spidynamics com> wrote:
>
> > The use of prepared statements and stored procedures makes SQL
> > injection impossible.  A prepared statement is compiled before the
> > user input is added to the SQL statement, effectively making it
> > impossible to execute the client-supplied data because it is never
> > compiled.  There was a thread about this a couple of months back on
> > this list, here's the first post:
> > http://archives.neohapsis.com/archives/sf/www-mobile/2002-q3/0105.html
> >
> > Have a fun and securely programmed new year, everyone.
> >
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com
> >
> >
> > ----- Original Message -----
> > From: "Christopher Todd" <chris () christophertodd com>
> > To: <webappsec () securityfocus com>
> > Sent: Monday, December 30, 2002 3:29 PM
> > Subject: JDBC PreparedStatements, Java Data Objects/O-R mapping, and
> > SQL Injection
> >
> >
> > > I am working on the Java language section of the OWASP Guide to
> > > Securing
> > Web
> > > Applications, and I have a question for the list.  Have any of you
> > > elite
> > SQL
> > > Injectors ever been able to hack an application that was using JDBC
> > > PreparedStatements?  Are any of you aware of a theoretical reason
> > > this should be impossible?  I have tried, and been unsuccessful, to
> > > perform SQL injection on an example app I coded up, but then again,
> > > I am not the
> > world's
> > > most talented SQL Injector.
> > >
> > > On another note, have any of you ever successfully used SQL
> > > Injection against a web app that was using Castor JDO, or other
> > > similar Object-Relational mapping tools?  Again, I have tried to
> > > attack an example app I coded up and failed.  Same question - is it
> > > theoretically impossible to execute SQL injection against apps coded
> > > using these techniques and tools?
> > >
> > > I ask these questions because I think these two techniques can be
> > > used effectively to thwart (or at least make more difficult) SQL
> > > injection attacks against Java-based web apps, but I want to
> > > validate that belief to the best extent I can prior to putting such
> > > statements into the Guide. Thanks in advance for any help you can
> > > provide, as it will improve the quality and usefullness of the
> > > Guide.
> > >
> > > Chris