Return-Path: Delivered-To: apmail-click-dev-archive@www.apache.org Received: (qmail 59999 invoked from network); 29 Mar 2010 09:12:20 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Mar 2010 09:12:20 -0000 Received: (qmail 29095 invoked by uid 500); 29 Mar 2010 09:12:20 -0000 Delivered-To: apmail-click-dev-archive@click.apache.org Received: (qmail 29040 invoked by uid 500); 29 Mar 2010 09:12:18 -0000 Mailing-List: contact dev-help@click.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@click.apache.org Delivered-To: mailing list dev@click.apache.org Received: (qmail 29033 invoked by uid 99); 29 Mar 2010 09:12:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Mar 2010 09:12:17 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of sabob1@gmail.com designates 209.85.160.42 as permitted sender) Received: from [209.85.160.42] (HELO mail-pw0-f42.google.com) (209.85.160.42) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Mar 2010 09:12:09 +0000 Received: by pwj8 with SMTP id 8so8486772pwj.29 for ; Mon, 29 Mar 2010 02:11:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=H9zZ/zD8Dy7ytfYNFQ5ZowwKP+7rYRXmbrjDRH98FSo=; b=s2XQ2Kwszdjsb6X05WNh2yIianeFu1MhSvidO7FVrJoHezx5crWzaeVr24UIWQ4zZC EiYUxd+UprsDOQCPXqRzuohYR76fQvEAHxyqE9HsXljDObKlY1e0rf4PPQksV57OtzXu sls55gBAzgOHIGPQDMpddBUB4Oo6ZRbXxNhx4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=BuoS0NFVwDWzqj9PL6DFw9Caw+/h06mslR7cPOWsio+kIqJrg4v2XFpwRQEy0dGbXa eUNe2xLKA+6Iw7t5qYcmc3RBbtG8XV8PkaMvN01s8nJz+gXLLRSVA+MowfRKoZ5Wu36K m/y4y75v5/V8grH8Y+soK9Gcft+c+HmSzVox0= Received: by 10.142.207.15 with SMTP id e15mr1865805wfg.14.1269853907942; Mon, 29 Mar 2010 02:11:47 -0700 (PDT) Received: from [10.1.1.3] (124-170-82-206.dyn.iinet.net.au [124.170.82.206]) by mx.google.com with ESMTPS id 23sm3841071pzk.2.2010.03.29.02.11.44 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 29 Mar 2010 02:11:46 -0700 (PDT) Message-ID: <4BB06ECE.5060108@gmail.com> Date: Mon, 29 Mar 2010 20:11:42 +1100 From: Bob Schellink User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: dev@click.apache.org Subject: Re: How sure is Click agains SQL injections? References: <1269783017320-4813027.post@n2.nabble.com> In-Reply-To: <1269783017320-4813027.post@n2.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi George, ORMs like Hibernate/JPA/Cayenne take care of SQL injection by using prepared statements. If you use raw JDBC you should use prepared statements as well. See the defense strategies mention here: http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java kind regards bob On 29/03/2010 12:30 AM, georgex wrote: > > How sure is Click against SQL injections? > I mean a typical Click application like Click-Examples - but without Spring > (where the average programmer doesn't add an extra layer of checking - but > it's using Click as default). > > Thanks, > George.