ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Maves <Nathan.Ma...@Sun.COM>
Subject Re: R: [HELP] Whether or not iBatis support SQL Injection?
Date Sun, 10 Jul 2005 03:14:10 GMT
I was asked the question "What is SQL injection and how can I avoid it?"

I understand it to a point but an example would be great.

Nathan

On Jul 5, 2005, at 7:01 AM, Larry Meadors wrote:

> Yes, it does pass the SQL directly to the driver, but unless you use
> the $$ syntax for parameters, you should be safe with iBATIS.
>
> The $$ syntax is the only part of iBATIS that allows string
> concatenation, which is the biggest source of SQL injection attacks.
>
> If you are using a really crappy jdbc driver, you could have issues
> with it somehow botching things in it's implementation of prepared
> statements, but I have not heard of a single case of that happening.
>
> Larry
>
>
> On 7/5/05, Fabrizio Gianneschi  
> <fabrizio.gianneschi@gruppoatlantis.com> wrote:
>
>>
>> Since iBatis uses PreparedStatements a lot, it's safer than old  
>> school JDBC
>> code, even if it's still vulnerable because it passes the SQL  
>> directly to
>> the driver without checking, afaik. You can always use some good  
>> tricks to
>> increase the robustness of your SQL, but...
>>
>> ...this type of checking is not responsibility of a SQL mapper  
>> layer like
>> iBATIS.
>> I think you should check your user input in higher server side  
>> layers, such
>> as the presentation one; Struts Actions and/or ActionForms, for  
>> example.
>>
>> Fab
>>
>>  ________________________________
>>  Da: Pham Anh Tuan [mailto:anhtuan@ichi-corp.jp]
>> Inviato: martedì 5 luglio 2005 12.16
>> A: iBatis
>> Oggetto: [HELP] Whether or not iBatis support SQL Injection?
>>
>>
>>
>> Hi all,
>>
>> I don't know whether or not iBatis support checking SQL Injection  
>> or not ?
>>
>> plz help me :)
>>
>> Pham
>


Mime
View raw message