commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Heger <oliver.he...@oliver-heger.de>
Subject Re: [configuration] DatabaseConfiguration - should it escape SQL?
Date Sat, 19 Jan 2008 21:36:00 GMT
Henri Yandell schrieb:
> On Jan 17, 2008 1:17 PM, Oliver Heger <oliver.heger@oliver-heger.de> wrote:
>> Henri Yandell schrieb:
>>
>>> Should the DatabaseConfiguration class be responsible for protecting
>>> against SQL Injection, or should we make sure the javadoc states that
>>> it offers no protection and leave that up to the user?
>>>
>>> Hen
>>>
>> Adding a note about this topic to the documentation would certainly do
>> no harm.
>>
>>  From a short look at the code I think that chances for SQL Injection on
>> a correctly initialized DatabaseConfiguration (i.e. the settings for the
>> database table are valid) are pretty small: Everywhere
>> PreparedStatements are used.
> 
> Fortify was flagging for all the places where prepared statements are
> built from strings with variables in them - ie) columnName etc.
> 
> I think this is a case of the SQL Injection worry being outside the
> scope of the library. For example; no one is concerned that java.sql
> has SQL Injection issues.
> 
> +1 to the javadoc.
> 
> Hen
> 
I created a ticket for this issue [1], so that it won't get lost.

Oliver

[1] https://issues.apache.org/jira/browse/CONFIGURATION-304

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message