ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pham Anh Tuan" <anht...@ichi-corp.jp>
Subject Re: [HELP] Whether or not iBatis support SQL Injection?
Date Wed, 06 Jul 2005 07:02:14 GMT
hey :)

I must read more about that :)

If you have any document about "What that means in more proactical
terms is that if the parameter is '1;drop table foo;--', then the
query will fail, because it is not an integer", plz show me uh :)

Larry, thank you very much :")


----- Original Message ----- 
From: "Larry Meadors" <larry.meadors@gmail.com>
To: <user-java@ibatis.apache.org>
Sent: Wednesday, July 06, 2005 1:48 PM
Subject: Re: [HELP] Whether or not iBatis support SQL Injection?


> The difference is that the driver is responsible for escaping the
> parameters, not your application. What that means in more proactical
> terms is that if the parameter is '1;drop table foo;--', then the
> query will fail, because it is not an integer.
>
> So instead of dropping the table, a fairly harmless SQLException is 
> thrown.
>
> Larry
>
>
> On 7/6/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
>> [
>> select * from foo where id = ?
>>
>> ...then a second parameter is sent to the driver to tell it that the
>> value of the ? placeholder is 1. The parameter 1 is not used to modify
>> the SQL.
>> ]
>>
>> why does the solution above can protect us from SQL Injection problems?
>> because, I see that finally value of ? still be integer 1.
>>
>> Is there any magic when  "...then a second parameter is sent to the 
>> driver
>> to tell it that the
>> value of the ? placeholder is 1"
>>
>> I don't understand :(
>> ----- Original Message -----
>> From: "Larry Meadors" <larry.meadors@gmail.com>
>> To: <user-java@ibatis.apache.org>
>> Sent: Wednesday, July 06, 2005 10:25 AM
>> Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
>>
>>
>> > When you use this:
>> >
>> > <select id="good" resultMap="myResultMap">
>> > select * from foo where id = #value#
>> > </select>
>> >
>> > ...and call it like this:
>> >
>> > MyBean b = (MyBean)sqlMap.queryForObject("good", new Integer(1));
>> >
>> > ...iBATIS creates a prepared statement, so the SQL that goes to the
>> > database is:
>> >
>> > select * from foo where id = ?
>> >
>> > ...then a second parameter is sent to the driver to tell it that the
>> > value of the ? placeholder is 1. The parameter 1 is not used to modify
>> > the SQL.
>> >
>> > However, when you use this:
>> >
>> > <select id="bad" resultMap="myResultMap">
>> > select * from foo where id = $value$
>> > </select>
>> >
>> > ...and call it like this:
>> >
>> > MyBean b = (MyBean)sqlMap.queryForObject("bad", new Integer(1));
>> >
>> > ...iBATIS creates a prepared statement, but the SQL that goes to the
>> > database is:
>> >
>> > select * from foo where id = 1
>> >
>> > ...so the object passed in (the Integer in this case) is used to
>> > modify the SQL that is executed. This is where the danger is.
>> >
>> > Let's say instead of an integer, a String was passed in from a web
>> > page and the input was not checked. If the string was "1", that would
>> > be just fine. However, a user could send a string like this: "1;drop
>> > table foo;--", and instead of the query above, you would get this:
>> >
>> > select * from foo where id = 1;drop table foo;--
>> >
>> > Oops! what happened to the foo table?
>> >
>> > If you can use the ## syntax, do.
>> >
>> > Larry
>> >
>> >
>> > On 7/5/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
>> >> oh, thanks all you :)
>> >>
>> >> but I don't understand clearly why when we use ## is more safe than 
>> >> using
>> >> $$.
>> >>
>> >> Is there any special things in using ## ???
>> >>
>> >> help me!
>> >> ----- Original Message -----
>> >> From: "Brandon Goodin" <brandon.goodin@gmail.com>
>> >> To: <user-java@ibatis.apache.org>
>> >> Sent: Tuesday, July 05, 2005 8:54 PM
>> >> Subject: Re: [HELP] Whether or not iBatis support SQL Injection?
>> >>
>> >>
>> >> > If you are using the #myProperty# delimiters you need not worry 
>> >> > about
>> >> > sql injection. If you use the $myProperty$ literals you would need

>> >> > to
>> >> > guard against sql injection on your own.
>> >> >
>> >> > Brandon.
>> >> >
>> >> > On 7/5/05, Pham Anh Tuan <anhtuan@ichi-corp.jp> wrote:
>> >> >>
>> >> >> Hi all,
>> >> >>
>> >> >> I don't know whether or not iBatis support checking SQL Injection

>> >> >> or
>> >> >> not
>> >> >> ?
>> >> >>
>> >> >> plz help me :)
>> >> >>
>> >> >> Pham
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>>
>
> 



Mime
View raw message