cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Is FIQL SQL Injection safe?
Date Tue, 25 Jun 2013 10:52:01 GMT
Hi
On 25/06/13 10:16, nikosdim wrote:
> Hi
>
> I am currently on my way to give a try to the FIQL SQL and I was wondering
> if the code below is SQL injection safe? If not is there any way to protect
> ourselves from SQL injection attacks?
>
>
> SearchCondition<Book> sc = searchContext.getCondition(Book.class);
> SQLPrinterVisitor<Book> visitor = new SQLPrinterVisitor<Book>("table");
> sc.visit(visitor);
>

SQLPrinterVisitor itself will produce a statement starting from SELECT.
Without knowing much about all the possible injection attack variations, 
I'd say that a DB won't do update as part of SELECT ?
Now, assuming if it is possible somehow to trick DB say by having a 
SELECT statement encode somehow bad SQL statements within some of SELECT 
values, example, "SELECT name from table where name=*BAD_SQL*", then the 
best thing one can do is to make sure that Book setters do the 
validation, example, a setName(String value) method ensures 'name' has a 
valid value, etc

Cheers, Sergey



> Thanks
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Is-FIQL-SQL-Injection-safe-tp5729800.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



Mime
View raw message