ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pham Anh Tuan" <anht...@ichi-corp.jp>
Subject Re: [HELP] Whether or not iBatis support SQL Injection?
Date Wed, 06 Jul 2005 06:38:25 GMT
[
select * from foo where id = ?

...then a second parameter is sent to the driver to tell it that the
value of the ? placeholder is 1. The parameter 1 is not used to modify
the SQL.
]

why does the solution above can protect us from SQL Injection problems? 
because, I see that finally value of ? still be integer 1.

Is there any magic when  "...then a second parameter is sent to the driver 
to tell it that the
value of the ? placeholder is 1"

I don't understand :(
----- Original Message ----- 
From: "Larry Meadors" <larry.meadors@gmail.com>
To: <user-java@ibatis.apache.org>
Sent: Wednesday, July 06, 2005 10:25 AM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?


> When you use this:
>
> <select id="good" resultMap="myResultMap">
> select * from foo where id = #value#
> </select>
>
> ...and call it like this:
>
> MyBean b = (MyBean)sqlMap.queryForObject("good", new Integer(1));
>
> ...iBATIS creates a prepared statement, so the SQL that goes to the 
> database is:
>
> select * from foo where id = ?
>
> ...then a second parameter is sent to the driver to tell it that the
> value of the ? placeholder is 1. The parameter 1 is not used to modify
> the SQL.
>
> However, when you use this:
>
> <select id="bad" resultMap="myResultMap">
> select * from foo where id = $value$
> </select>
>
> ...and call it like this:
>
> MyBean b = (MyBean)sqlMap.queryForObject("bad", new Integer(1));
>
> ...iBATIS creates a prepared statement, but the SQL that goes to the
> database is:
>
> select * from foo where id = 1
>
> ...so the object passed in (the Integer in this case) is used to
> modify the SQL that is executed. This is where the danger is.
>
> Let's say instead of an integer, a String was passed in from a web
> page and the input was not checked. If the string was "1", that would
> be just fine. However, a user could send a string like this: "1;drop
> table foo;--", and instead of the query above, you would get this:
>
> select * from foo where id = 1;drop table foo;--
>
> Oops! what happened to the foo table?
>
> If you can use the ## syntax, do.
>
> Larry
>
>
> On 7/5/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
>> oh, thanks all you :)
>>
>> but I don't understand clearly why when we use ## is more safe than using
>> $$.
>>
>> Is there any special things in using ## ???
>>
>> help me!
>> ----- Original Message -----
>> From: "Brandon Goodin" <brandon.goodin@gmail.com>
>> To: <user-java@ibatis.apache.org>
>> Sent: Tuesday, July 05, 2005 8:54 PM
>> Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
>>
>>
>> > If you are using the #myProperty# delimiters you need not worry about
>> > sql injection. If you use the $myProperty$ literals you would need to
>> > guard against sql injection on your own.
>> >
>> > Brandon.
>> >
>> > On 7/5/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
>> >>
>> >> Hi all,
>> >>
>> >> I don't know whether or not iBatis support checking SQL Injection or 
>> >> not
>> >> ?
>> >>
>> >> plz help me :)
>> >>
>> >> Pham
>> >
>> >
>>
>>
>>
>
> 



Mime
View raw message