click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From georgex <>
Subject Re: How sure is Click agains SQL injections?
Date Mon, 29 Mar 2010 09:47:43 GMT

Malcolm Edgar-2 wrote:
> Click does not provide any specific facilities to prevent SQL
> injection attacks, as this is an application domain requirement.
You are fully right, but if something like this happens, the blame goes
always to the web framework too, since everything passes through the web

Malcolm Edgar-2 wrote:
> and potentially a application level Filter strip dangerous characters,
> or to reject these requests.
This is interesting.
It would be helpful if there would be such a Filter example in
click-examples and/or Best Practices.

I couldn't find so far a good example for Java that would not have a bad
impact on performance :(.

P.S. It was my mistake to consider "SQL injection" even if that parameter
attack happens in the absence of an SQL database and the attacker gains
access , e.g. in case of XML persistence, or simple file system operations
(although I haven't found how this type of attach is called).
View this message in context:
Sent from the click-development mailing list archive at

View raw message