cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luca Morandini" <spectrum.morand...@ipzs.it>
Subject R: R: A case of SQL injection
Date Tue, 05 Nov 2002 15:23:04 GMT
> Not everyone uses $$$ DBs. We, the lowest common denominator, get offended
> when not taken care of... :-)

Ilya, you might be oblivious of the presence of PL/SQL (sort of) in
PostgreSQL...

Best regards,

Luca Morandini
Istituto Poligrafico e Zecca dello Stato
lmorandini@ieee.org
spectrum.morandini@ipzs.it


> -----Messaggio originale-----
> Da: Ilya A. Kriveshko [mailto:ilya@kaon.com]
> Inviato: martedì 5 novembre 2002 16.05
> A: cocoon-dev@xml.apache.org
> Oggetto: Re: R: A case of SQL injection
>
>
> Luca Morandini wrote:
>
> >Torsten,
> >
> >call me boring, but, wouldn't it be better using stored procedures over
> >dynamic SQL ?
> >
> <quote from="MySQL Documentation">
>   Our aim is to have stored procedures implemented in MySQL Server
> around version 5.0.
> </quote>
>
> Not everyone uses $$$ DBs. We, the lowest common denominator, get offended
> when not taken care of... :-)
>
> As far as DB exploits go, IMO, prepared statements are the simplest and
> the most
> reliable way to ensure security agains SQL injection. I think it should
> be a rule that
> no piece of data ever gets cocatenated into an SQL query.
> Using PreparedStatement.set<Type>() should be the only accepted way to
> do that.
> The only strings that can be concatenated into a dynamic SQL query should
> be SQL fragments that are declared locally in the source code. Anything
> short of
> that would never pass a peer code review 'round these parts.
> --
> Ilya
>
> >
> >It offers: SoC, code re-use, security, performance...
> >
> >Best regards,
> >
> >Luca Morandini
> >lmorandini@ieee.org
> >
> >
> >     We are protected from the virus by Norton Antivirus
> Corporate Edition
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> >For additional commands, email: cocoon-dev-help@xml.apache.org
> >
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>
>


     We are protected from the virus by Norton Antivirus Corporate Edition

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message