cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Howard <coc...@leverageweb.com>
Subject Re: binding params in dynamic queries in ESQL
Date Fri, 05 Mar 2004 21:45:48 GMT
Geoff Howard wrote:

>
> How are you protecting against SQL Injection attacks?
> <esql:query>select * from foo where foo.x = 
> '<xsp-request:get-parameter name="bar"/>'</esql:query>
>
> if you take myVar in any way from a request parameter, what happens if 
> I pass in a value like bar=abc;delete%20from%20foo (try it on your app).


Oops, changed my example without changing all references - myVar is 
supposed to be bar obviously.

I don't have many soapboxes but this is one of them - I have inherited 
applications crippled by problems like this.

Geoff

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message