camel-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From moj0002 <mortenjensenh...@hotmail.com>
Subject JDBC allowNamedParameters=false
Date Thu, 01 May 2014 01:18:48 GMT
I am writing a DELETE statement using the JDBC component and want to make
sure there is no SQL injection possibilities.  My statement does not have
any input parameters, is basically a table with a few columns including one
called MOD_TIME.

The SQL statement is in a bean 
DELETE FROM MY_TABLE WHERE MOD_TIME <= current timestamp - 2 days";

Since I have no bind variables or other parameters I assume it is not
possible to inject SQL but not completely sure.   

Would I want to set the allowNamedParameters to false to be double sure and
what is the benefit?

I read about one security issue related to stylesheets where someone can get
submit messages to a route, not sure how that would work, how do people gain
access to a route and can they submit arbitrary SQL, I don't think so.

Route
 <route id="db-purger">
    	<from uri="quartz2://myGroup/purgeTable?cron=0 20 */1 * * ?" />
            <log message="Running purge at  ${date:now:yyyy-MM-dd HH:mm:ss
z}"/>
            <bean ref="purgeBean" method="deleteProcessData"/>
            <to uri="jdbc://myDataSource"/>
            <log message="Rows deleted from PROCESS_TABLE:
$simple{header.CamelJdbcUpdateCount} "/>
</route>



--
View this message in context: http://camel.465427.n5.nabble.com/JDBC-allowNamedParameters-false-tp5750737.html
Sent from the Camel - Users mailing list archive at Nabble.com.

Mime
View raw message