Re: JDBC protections against SQL Injection

[Rogan Dawes <lists () dawes za net>]

lister () lihim org wrote:
> I've been watching this thread, I appreciate the discussion.
>
> So, the "protections" discussed here are in the java.sql library?
>
> Being paranoid, I wanted to review the source in java and find the
> area where the input is "escaped" to see how they handle the protections
> in implementation rather than blindly trust someone saying "just use ...
> it will protect against SQL injection".
>
> Is the built-in jdbc parameterized protections handled by java natively,
> or by the jdbc implementation of the db driver (ie. oracle, postgresql,
> etc.)
>
> regards,

The protections are implemented by the individual driver implementations.

You may want to go take a look at the HSQLDB or H2 drivers for an
example (of ones that I know are easily available).

That said, I have heard rumours of some PreparedStatement
implementations that simply delegated to concatenated Statement's, which
would obviously not be secure. I *hope* that they were just rumours.

Rogan