db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <wgl...@forio.com>
Subject security concern
Date Tue, 27 May 2003 17:25:06 GMT

I have a web-based system that allows outside users to create accounts and upload Velocity
templates.  These templates, among other things, can display records from the database using
Torque objects.

I've recently realized this presents a security hazard.  If a user gets access to the Peer
class using the getPeer method, they can execute arbitrary SQL code in my database with the
  executeStatement method.

What's the easiest way to prevent this?  I've overridden getPeer to return null.  Is this
sufficient to prevent the execution of arbitrary SQL code by untrusted template designers
who have a Torque object?

Thanks for any advice, 


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message