WebApp Sec mailing list archives
Re: JDBC protections against SQL Injection
From: Rogan Dawes <lists () dawes za net>
Date: Thu, 19 Mar 2009 17:08:56 +0200
lister () lihim org wrote:
I've been watching this thread, I appreciate the discussion. So, the "protections" discussed here are in the java.sql library? Being paranoid, I wanted to review the source in java and find the area where the input is "escaped" to see how they handle the protections in implementation rather than blindly trust someone saying "just use ... it will protect against SQL injection". Is the built-in jdbc parameterized protections handled by java natively, or by the jdbc implementation of the db driver (ie. oracle, postgresql, etc.) regards,
The protections are implemented by the individual driver implementations. You may want to go take a look at the HSQLDB or H2 drivers for an example (of ones that I know are easily available). That said, I have heard rumours of some PreparedStatement implementations that simply delegated to concatenated Statement's, which would obviously not be secure. I *hope* that they were just rumours. Rogan
Current thread:
- JDBC protections against SQL Injection lister (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection private private (Mar 17)
- RE: JDBC protections against SQL Injection Dave Wichers (Mar 17)
- Re: JDBC protections against SQL Injection Marc-André Laverdière (Mar 16)
- Re: JDBC protections against SQL Injection τ∂υƒιφ * (Mar 16)
- <Possible follow-ups>
- Re: Re: JDBC protections against SQL Injection jjs_ritasa (Mar 18)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)
- Re: Re: JDBC protections against SQL Injection lister (Mar 19)
- Re: JDBC protections against SQL Injection Rogan Dawes (Mar 19)
- Re: JDBC protections against SQL Injection Florian Weimer (Mar 19)
- Re: JDBC protections against SQL Injection Rohit Sethi (Mar 24)
- RE: JDBC protections against SQL Injection Jeff Williams (Mar 26)
- Re: Re: JDBC protections against SQL Injection Pete Jansson (Mar 19)