db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Manske <netsee...@manskes.de>
Subject Re: Torque and SQL Injection
Date Fri, 23 Feb 2007 12:41:30 GMT
Hi Daniel,

afaik it is neither the job of a ORM-tool nor is it possible at all to secure such a layer
SQL-injection. Torque does explicitly allow the usage of custom SQL. Hence some kind of SQL-injection
is a real feature (in terms of extensibility and flexibility) in an ORM-tool and not really
a vulnerability.
I think the caller respectively the used DAO-Layer has to do the job to prevent unwanted SQL-injection.

So to answer your question: It is known that is it possible to do SQL-injection with Torque.
The used
Criteria-Class does not contain any logic to check for additional (injected) SQL-statements.
And to be honest: I'm happy with that, because if it is really neccessary, we can do a lot
of "sql-tricks" with Torque
without switching to raw SQL completely :-)


Vitzethum, Daniel schrieb:
> Hello all,
> is anything known about the vulnerability of Torque (versions 3.1 / 3.2)
> regarding SQL injection? One of our customers wants to know if anything
> has to be done to make Torque resistant against attacks of this kind...
> Many thanks in advance,
> Daniel
> ------------------------------------------------------------------------
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.441 / Virus Database: 268.18.3/698 - Release Date: 23.02.2007 04:39

To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org

View raw message