click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From georgex <george.st...@yahoo.com>
Subject Re: How sure is Click agains SQL injections?
Date Mon, 29 Mar 2010 09:54:07 GMT


Bob Schellink wrote:
> 
> ORMs like Hibernate/JPA/Cayenne take care of SQL injection by using
> prepared statements. If you use 
> raw JDBC you should use prepared statements as well.
> 
> See the defense strategies mention here:
>    http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
> 
Thank you for the pointer Bob.

If the ORM solves this, than it's nice, but there are other cases that are
not SQL injection (I don't know how they're called), but with a similar
pattern: parameter attack on webapps when using:
 - an OODB - the Click#Form#copyTo() sends those modified params directly to
the object database.
 - an XML persistence is used. 
 - a file system is used for various operations - thus the parameter
manipulation gains access to other files than those allowed.


thanks,
George.
-- 
View this message in context: http://n2.nabble.com/How-sure-is-Click-agains-SQL-injections-tp4813027p4817046.html
Sent from the click-development mailing list archive at Nabble.com.

Mime
View raw message