cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ilya A. Kriveshko" <i...@kaon.com>
Subject Re: R: A case of SQL injection
Date Tue, 05 Nov 2002 15:05:28 GMT
Luca Morandini wrote:

>Torsten,
>
>call me boring, but, wouldn't it be better using stored procedures over
>dynamic SQL ?
>
<quote from="MySQL Documentation">
  Our aim is to have stored procedures implemented in MySQL Server 
around version 5.0.
</quote>

Not everyone uses $$$ DBs. We, the lowest common denominator, get offended
when not taken care of... :-)

As far as DB exploits go, IMO, prepared statements are the simplest and 
the most
reliable way to ensure security agains SQL injection. I think it should 
be a rule that
no piece of data ever gets cocatenated into an SQL query.
Using PreparedStatement.set<Type>() should be the only accepted way to 
do that.
The only strings that can be concatenated into a dynamic SQL query should
be SQL fragments that are declared locally in the source code. Anything 
short of
that would never pass a peer code review 'round these parts.
--
Ilya

>
>It offers: SoC, code re-use, security, performance...
>
>Best regards,
>
>Luca Morandini
>lmorandini@ieee.org
>
>
>     We are protected from the virus by Norton Antivirus Corporate Edition
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
>For additional commands, email: cocoon-dev-help@xml.apache.org
>
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message