db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Fischer <fisc...@seitenbau.net>
Subject Re: Torque and SQL Injection
Date Fri, 23 Feb 2007 13:18:03 GMT
I'm not completely sure, but I'd think that Torque is protected against SQL
injection if one uses it in a regular manner.
- Torque does its inserts and updates using prepared statements, so it is
the responsibility of the db drivers to protect against sql injection (and
that works well, as far as I know).
- Regarding Selects, Torque does escape special characters in Strings, so
it should not be possible to sql-inject into String criteria. Using numbers
(Integers and the like) should also be fine.
In other usages, one can certainly find examples where SQL injection is
possible; but then I'd take Michael's point of view that the programmer
using Torque has to think about what he does.

Michael, if you disagree and you do have an example where sql injection is
possible using string and number criterias, please say so, but please
describe your vulnerability in an email to any of the torque developers
(and not in a public email).

      Thomas

Michael Manske <netseeker@manskes.de> schrieb am 23.02.2007 13:41:30:

> Hi Daniel,
>
> afaik it is neither the job of a ORM-tool nor is it possible at all
> to secure such a layer against
> SQL-injection. Torque does explicitly allow the usage of custom SQL.
> Hence some kind of SQL-injection
> is a real feature (in terms of extensibility and flexibility) in an
> ORM-tool and not really a vulnerability.
> I think the caller respectively the used DAO-Layer has to do the job
> to prevent unwanted SQL-injection.
>
> So to answer your question: It is known that is it possible to do
> SQL-injection with Torque. The used
> Criteria-Class does not contain any logic to check for additional
> (injected) SQL-statements.
> And to be honest: I'm happy with that, because if it is really
> neccessary, we can do a lot of "sql-tricks" with Torque
> without switching to raw SQL completely :-)
>
> cheers
> Michael
>
>
>
>
> Vitzethum, Daniel schrieb:
> > Hello all,
> >
> >
> >
> > is anything known about the vulnerability of Torque (versions 3.1 /
3.2)
> > regarding SQL injection? One of our customers wants to know if anything
> > has to be done to make Torque resistant against attacks of this kind...
> >
> >
> >
> >
> >
> > Many thanks in advance,
> >
> >
> >
> > Daniel
> >
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.441 / Virus Database: 268.18.3/698 - Release Date:
> 23.02.2007 04:39
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org


Mime
View raw message