WebApp Sec mailing list archives
Re: Re: JDBC protections against SQL Injection
From: lister () lihim org
Date: Thu, 19 Mar 2009 08:33:45 -0500
On Thu, Mar 19, 2009 at 08:01:55AM -0400, Pete Jansson wrote:
On Thu, Mar 19, 2009 at 1:04 AM, <jjs_ritasa () verizon net> wrote:2009/3/16 <lister () lihim org>:I've heard this preached before. Using JDBC properly can help protect against SQL Injection. What protections does JDBC provide?I just posted a blog on this thread at: http://realeyes-tech.blogspot.com/2009/03/database-security.htmlSome of the responses to your blog post caught this, but I didn't see any of the responses on this list mention it -- JDBC provides parameterized queries which prevent SQL injection. That's the answer to the OP's question. On your blog, Ken van Wyk pointed out that, just because parameterized queries prevent SQL injection, the input should still be validated because of other potential application-level evil, such as cross-site scripting. Your blog post also made good points about input validation. Getting data into SQL queries by any means other than parameters is 100% FAIL, and every application developer should know better by now. As a community, we need to do a better job of getting the word out, because this should have been the first answer to the OP's question, with four or five people writing "me too!"
I've been watching this thread, I appreciate the discussion. So, the "protections" discussed here are in the java.sql library? Being paranoid, I wanted to review the source in java and find the area where the input is "escaped" to see how they handle the protections in implementation rather than blindly trust someone saying "just use ... it will protect against SQL injection". Is the built-in jdbc parameterized protections handled by java natively, or by the jdbc implementation of the db driver (ie. oracle, postgresql, etc.) regards,
Current thread:
- JDBC protections against SQL Injection lister (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection private private (Mar 17)
- RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- <Possible follow-ups>
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
- Re: Re: JDBC protections against SQL Injection lister (Mar 19)
- Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
- Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
- Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
- RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)