click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <>
Subject Re: How sure is Click agains SQL injections?
Date Mon, 29 Mar 2010 09:58:16 GMT
I don't see how a filter can protect against SQL injection. Unless you are talking about XSS
is something else altogether.

kind regards


On 29/03/2010 08:47 PM, georgex wrote:
> Malcolm Edgar-2 wrote:
>> Click does not provide any specific facilities to prevent SQL
>> injection attacks, as this is an application domain requirement.
> You are fully right, but if something like this happens, the blame goes
> always to the web framework too, since everything passes through the web
> layer.
> Malcolm Edgar-2 wrote:
>> and potentially a application level Filter strip dangerous characters,
>> or to reject these requests.
> This is interesting.
> It would be helpful if there would be such a Filter example in
> click-examples and/or Best Practices.
> I couldn't find so far a good example for Java that would not have a bad
> impact on performance :(.
> thanks,
> George.
> P.S. It was my mistake to consider "SQL injection" even if that parameter
> attack happens in the absence of an SQL database and the attacker gains
> access , e.g. in case of XML persistence, or simple file system operations
> (although I haven't found how this type of attach is called).

View raw message