cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Painter-Wakefield <paint...@mc.duke.edu>
Subject Re: binding params in dynamic queries in ESQL
Date Fri, 05 Mar 2004 22:06:11 GMT




I thought that ESQL used JDBC prepared statements, regardless of whether
you have bound parameters; while it won't protect you fully, won't it throw
an exception if it receives two queries (which this attack results in)?
Perhaps I'm wrong on this point.  It isn't ideal, but if your dynamic SQL
is only doing selects, and only against data that isn't sensitive, then the
worst case scenario is perhaps an attack that slows your server down (and
the attacker would have to know a good deal about your schema to do that).
If I'm wrong about this JDBC behavior, then I probably need to look at some
stuff, too!

-Christopher



|---------+---------------------------->
|         |           Geoff Howard     |
|         |           <cocoon@leveragew|
|         |           eb.com>          |
|         |                            |
|         |           03/05/2004 04:45 |
|         |           PM               |
|         |           Please respond to|
|         |           users            |
|         |                            |
|---------+---------------------------->
  >--------------------------------------------------------------------------------------------------------------|
  |                                                                                      
                       |
  |       To:       users@cocoon.apache.org                                              
                       |
  |       cc:                                                                            
                       |
  |       Subject:  Re: binding params in dynamic queries in ESQL                        
                       |
  >--------------------------------------------------------------------------------------------------------------|




Geoff Howard wrote:

>
> How are you protecting against SQL Injection attacks?
> <esql:query>select * from foo where foo.x =
> '<xsp-request:get-parameter name="bar"/>'</esql:query>
>
> if you take myVar in any way from a request parameter, what happens if
> I pass in a value like bar=abc;delete%20from%20foo (try it on your app).


Oops, changed my example without changing all references - myVar is
supposed to be bar obviously.

I don't have many soapboxes but this is one of them - I have inherited
applications crippled by problems like this.

Geoff



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message