cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ilya A. Kriveshko" <i...@kaon.com>
Subject Re: A case of SQL injection
Date Tue, 05 Nov 2002 21:50:33 GMT

Antonio Gallardo Rivera wrote:

>Just a question. Please dont take it wrong
>Can you send a "DROP TABLE mytable" in the following example of a XSP page? I 
>am using mod-db stuff too.
>
I do not see a possibility of the aforementioned "DROP TABLE" exploit in
this case. The only "unverified" data here is "id" and it is making its way
into the query via two mechanisms that would ensure its safety:

1) Integer.parseInt()
2) PreparedStatement.setInt() that is generated by <esql:parameter> element.

I say, you're safe here.
--
Ilya

><esql:execute-query>
>  <esql:query>
>    SELECT * FROM mytable
>    WHERE mytable_id=
>	<esql:parameter type="int">
>	  <xsp:expr>
>		Integer.parseInt(
>			<xsp-request:get-parameter name="id" default="0"/>
>		)
>	   </xsp:expr>
>         </esql:parameter>
>    </esql:query>
></esql:execute-query>
>
>Antonio Gallardo
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message