ibatis-user-cs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oleksa borodie <oleksa.boro...@gmail.com>
Subject Re: Integreate custom changes into trunk?
Date Tue, 22 Mar 2005 10:51:56 GMT
On Tue, 22 Mar 2005 05:42:54 -0500, Ted Husted <ted.husted@gmail.com> wrote:

> > > Doing so exposed to sql inject attack.
> >
> >  But I'm replacing all of single quotes with double quotes  as you can
> > see. I'm using iBATIS with application server and thought that it is
> > enough to replace one single quote with double single quote. Isn't it?
> ...
> Do we have any unit tests which show how iBATIS.NET reacts when SQL
> injection is attempted?

 What tests do you mean? Test that shows how performance increases in
case of replacing parameters with its values or test how sql injection
is avoided with Replace("\'", "\'\'") operator? I could try write some
for sql injection. Should I?

> If there is a debate over a feature, the best thing might be to focus
> on tests that demonstrate the feature.

 There is one more problem - performance problem with sp_executesql is
specific only for MS SQL server - so replacing parameters with values
is actual only for MS SQL connections. For all others it will be
unnecessary AFAIK.

Good luck.

Mime
View raw message