Return-Path: Delivered-To: apmail-xml-cocoon-dev-archive@xml.apache.org Received: (qmail 43267 invoked by uid 500); 5 Nov 2002 15:22:51 -0000 Mailing-List: contact cocoon-dev-help@xml.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: cocoon-dev@xml.apache.org Delivered-To: mailing list cocoon-dev@xml.apache.org Received: (qmail 43255 invoked from network); 5 Nov 2002 15:22:50 -0000 From: "Luca Morandini" To: Subject: R: R: A case of SQL injection Date: Tue, 5 Nov 2002 16:23:04 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3DC7DE38.10501@kaon.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal X-AntiSpam: Checked for restricted content by Gordano's AntiSpam Software X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N > Not everyone uses $$$ DBs. We, the lowest common denominator, get offended > when not taken care of... :-) Ilya, you might be oblivious of the presence of PL/SQL (sort of) in PostgreSQL... Best regards, Luca Morandini Istituto Poligrafico e Zecca dello Stato lmorandini@ieee.org spectrum.morandini@ipzs.it > -----Messaggio originale----- > Da: Ilya A. Kriveshko [mailto:ilya@kaon.com] > Inviato: marted� 5 novembre 2002 16.05 > A: cocoon-dev@xml.apache.org > Oggetto: Re: R: A case of SQL injection > > > Luca Morandini wrote: > > >Torsten, > > > >call me boring, but, wouldn't it be better using stored procedures over > >dynamic SQL ? > > > > Our aim is to have stored procedures implemented in MySQL Server > around version 5.0. > > > Not everyone uses $$$ DBs. We, the lowest common denominator, get offended > when not taken care of... :-) > > As far as DB exploits go, IMO, prepared statements are the simplest and > the most > reliable way to ensure security agains SQL injection. I think it should > be a rule that > no piece of data ever gets cocatenated into an SQL query. > Using PreparedStatement.set() should be the only accepted way to > do that. > The only strings that can be concatenated into a dynamic SQL query should > be SQL fragments that are declared locally in the source code. Anything > short of > that would never pass a peer code review 'round these parts. > -- > Ilya > > > > >It offers: SoC, code re-use, security, performance... > > > >Best regards, > > > >Luca Morandini > >lmorandini@ieee.org > > > > > > We are protected from the virus by Norton Antivirus > Corporate Edition > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org > >For additional commands, email: cocoon-dev-help@xml.apache.org > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org > For additional commands, email: cocoon-dev-help@xml.apache.org > > We are protected from the virus by Norton Antivirus Corporate Edition --------------------------------------------------------------------- To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org For additional commands, email: cocoon-dev-help@xml.apache.org