WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: JDBC protections against SQL Injection

From: Rohit Sethi <rklists () gmail com>
Date: Mon, 23 Mar 2009 22:38:42 -0400
You'll be interested in this:
http://www.google.com/codesearch/p?hl=en#OzTl4d0Z71Q/mysql-connector-java-3.0.11-stable/com/mysql/jdbc/PreparedStatement.java&q=PreparedStatement%20lang:java%20mysql

This is the implementation of the PreparedStatement interface for
MySQL. Note the setString() method that escapes several interpreted
characters. Conceivable somebody can write a driver that fails to
properly implement this kind of method

Cheers,

Rohit

On Thu, Mar 19, 2009 at 4:03 PM, Florian Weimer <fw () deneb enyo de> wrote:

Being paranoid, I wanted to review the source in java and find the
area where the input is "escaped" to see how they handle the protections
in implementation rather than blindly trust someone saying "just use ...
it will protect against SQL injection".


It's in the JDBC driver.  Escaping is database-specific, so only the
driver knows how to do it properly.







-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
Previous By Date Next
Previous By Thread Next

Current thread: