ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fabrizio Gianneschi" <fabrizio.giannes...@gruppoatlantis.com>
Subject R: [HELP] Whether or not iBatis support SQL Injection?
Date Tue, 05 Jul 2005 11:02:24 GMT
Since iBatis uses PreparedStatements a lot, it's safer than old school JDBC
code, even if it's still vulnerable because it passes the SQL directly to
the driver without checking, afaik. You can always use some good tricks to
increase the robustness of your SQL, but...
 
...this type of checking is not responsibility of a SQL mapper layer like
iBATIS.
I think you should check your user input in higher server side layers, such
as the presentation one; Struts Actions and/or ActionForms, for example.
 
Fab

  _____  

Da: Pham Anh Tuan [mailto:anhtuan@ichi-corp.jp] 
Inviato: martedì 5 luglio 2005 12.16
A: iBatis
Oggetto: [HELP] Whether or not iBatis support SQL Injection?


Hi all,
 
I don't know whether or not iBatis support checking SQL Injection or not ?
 
plz help me :)
 
Pham

Mime
View raw message