cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Haul <>
Subject Re: A case of SQL injection
Date Tue, 05 Nov 2002 08:34:56 GMT
On 05.Nov.2002 -- 12:26 AM, Carl M?sak wrote:


> Today I have been thinking about what would really patch the security
> hole. What we're talking about here, by the way, is a phenomenon called
> 'SQL Injection', a term which should be familiar to every developer of web
> applications that interface with an SQL database. If you don't know about
> this security hasard, and your webapp uses SQL, you are through inaction
> placing your information, and thereby your users, at the mercy of
> competent (and not so competent) hackers!
> I refer to the pdf
> for more information. Be aware that more than simple removal of 'bad
> characters' is needed in order to protect oneself fully -- ample examples
> and reasons are given in the paper.
> My question, finally: Could future versions of Cocoon protect against this
> type of 'database rape' -- for example in the class

As the document points out, input validation is crucial. Cocoon offers
input validation through XMLForms and the *ValidatorActions,
e.g. the FormValidatorAction.

Another important aspect is not to compose a query from strings but
use PreparedStatements for that. This way the driver takes care that a
parameter is just a parameter and not a command. All the database
actions do that. ESQL does that, too, if the <esql:parameter/> tags
are used.

I don't see what could be done further.


C h r i s t i a n       H a u l
    fingerprint: 99B0 1D9D 7919 644A 4837  7D73 FEF9 6856 335A 9E08

To unsubscribe, e-mail:
For additional commands, email:

View raw message