ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clinton Begin <clinton.be...@gmail.com>
Subject Re: R: [HELP] Whether or not iBatis support SQL Injection?
Date Sun, 10 Jul 2005 03:40:20 GMT
Hi Nathan,

Given:

SELECT * FROM ACCOUNT WHERE USERNAME = ? and PASSWORD = ?

Consider that without prepared statements it would likely be implemented 
like this:

String username = "cbegin";
String password = "barnacle"
String sql = "SELECT * FROM ACCOUNT WHERE USERNAME = '" + username + "' AND 
PASSWORD = '" + password + "'";

Now consider what would happen if the password was this:

String password = "xxxxx' OR USERNAME = 'cbegin";

You'd end up with the SQL statement:

SELECT * FROM ACCOUNT WHERE USERNAME = 'cbegin' AND PASSWORD = 'xxxxx' OR 
USERNAME = 'cbegin'

In Microsoft SQL Server, this would load the ACCOUNT record without the 
password.

iBATIS protects against this by always using PreparedStatement, but if you 
use $substitutions$ in you statements, be very careful! 

Cheers,
Clinton


On 7/9/05, Nathan Maves <Nathan.Maves@sun.com> wrote:
> 
> I was asked the question "What is SQL injection and how can I avoid it?"
> 
> I understand it to a point but an example would be great.
> 
> Nathan
> 
> On Jul 5, 2005, at 7:01 AM, Larry Meadors wrote:
> 
> > Yes, it does pass the SQL directly to the driver, but unless you use
> > the $$ syntax for parameters, you should be safe with iBATIS.
> >
> > The $$ syntax is the only part of iBATIS that allows string
> > concatenation, which is the biggest source of SQL injection attacks.
> >
> > If you are using a really crappy jdbc driver, you could have issues
> > with it somehow botching things in it's implementation of prepared
> > statements, but I have not heard of a single case of that happening.
> >
> > Larry
> >
> >
> > On 7/5/05, Fabrizio Gianneschi
> > <fabrizio.gianneschi@gruppoatlantis.com> wrote:
> >
> >>
> >> Since iBatis uses PreparedStatements a lot, it's safer than old
> >> school JDBC
> >> code, even if it's still vulnerable because it passes the SQL
> >> directly to
> >> the driver without checking, afaik. You can always use some good
> >> tricks to
> >> increase the robustness of your SQL, but...
> >>
> >> ...this type of checking is not responsibility of a SQL mapper
> >> layer like
> >> iBATIS.
> >> I think you should check your user input in higher server side
> >> layers, such
> >> as the presentation one; Struts Actions and/or ActionForms, for
> >> example.
> >>
> >> Fab
> >>
> >> ________________________________
> >> Da: Pham Anh Tuan [mailto:anhtuan@ichi-corp.jp]
> >> Inviato: martedì 5 luglio 2005 12.16
> >> A: iBatis
> >> Oggetto: [HELP] Whether or not iBatis support SQL Injection?
> >>
> >>
> >>
> >> Hi all,
> >>
> >> I don't know whether or not iBatis support checking SQL Injection
> >> or not ?
> >>
> >> plz help me :)
> >>
> >> Pham
> >
> 
>

Mime
View raw message