cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: Is FIQL SQL Injection safe?
Date Tue, 25 Jun 2013 10:52:01 GMT
On 25/06/13 10:16, nikosdim wrote:
> Hi
> I am currently on my way to give a try to the FIQL SQL and I was wondering
> if the code below is SQL injection safe? If not is there any way to protect
> ourselves from SQL injection attacks?
> SearchCondition<Book> sc = searchContext.getCondition(Book.class);
> SQLPrinterVisitor<Book> visitor = new SQLPrinterVisitor<Book>("table");
> sc.visit(visitor);

SQLPrinterVisitor itself will produce a statement starting from SELECT.
Without knowing much about all the possible injection attack variations, 
I'd say that a DB won't do update as part of SELECT ?
Now, assuming if it is possible somehow to trick DB say by having a 
SELECT statement encode somehow bad SQL statements within some of SELECT 
values, example, "SELECT name from table where name=*BAD_SQL*", then the 
best thing one can do is to make sure that Book setters do the 
validation, example, a setName(String value) method ensures 'name' has a 
valid value, etc

Cheers, Sergey

> Thanks
> --
> View this message in context:
> Sent from the cxf-user mailing list archive at

View raw message