cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nikosdim <>
Subject Re: Is FIQL SQL Injection safe?
Date Wed, 26 Jun 2013 11:08:18 GMT

I tested the code in my initial post and indeed there is no problem for SQL
injection attacks related to DROP, DELETE, UPDATE etc. 

But in the type of SQL injection attack shown below 

select * from table where something= 'value derived from FIQL'

If the user gives           blala' or 'x' = 'x                in the request
then the query that we get from the visitor.getQuery(); is 
select * from table where something='blala' or 'x' = 'x' which passes

So as far as I can understand there is a vulnerability there. 

Also validation in the setters cannot always work because of the nature of
the data that are stored in the database. 

I was wondering how is the sql String produced by the FIQL library? Is it by
concatinating the strings that the user passes on the URL? 


View this message in context:
Sent from the cxf-user mailing list archive at

View raw message