cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Curdt <>
Subject Re: A case of SQL injection
Date Tue, 05 Nov 2002 22:40:13 GMT
> I do not see a possibility of the aforementioned "DROP TABLE" exploit in
> this case. The only "unverified" data here is "id" and it is making its way
> into the query via two mechanisms that would ensure its safety:
> 1) Integer.parseInt()
> 2) PreparedStatement.setInt() that is generated by <esql:parameter> element.
> I say, you're safe here.

Guys, I guess we already had an agreement that we are pretty safe with
ESQL. (Just because of the prepared statements) But it's true - it's
really the question if the DBMS should do the validation for us...
...but it does it very reliable;)

> >	<esql:parameter type="int">
> >	  <xsp:expr>
> >		Integer.parseInt(
> >			<xsp-request:get-parameter name="id" default="0"/>
> >		)
> >	   </xsp:expr>
> >         </esql:parameter>

BTW: this snippets clearly states that actually cocoon does a checking
first;) ..but we would be safe even without!

It's a more deeper issue. everytime we ask for a request parameter we
need to keep in mind that it might be evil and it needs to be checked.
The question is if it wouldn't make sense to have this centralized

To unsubscribe, e-mail:
For additional commands, email:

View raw message