ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Maves <Nathan.Ma...@Sun.COM>
Subject Re: R: [HELP] Whether or not iBatis support SQL Injection?
Date Sun, 10 Jul 2005 03:23:34 GMT
Found the answer in a later posting....  Guess thats what I get for  
being a Canuck for a week :)

Nathan

On Jul 9, 2005, at 9:14 PM, Nathan Maves wrote:

> I was asked the question "What is SQL injection and how can I avoid  
> it?"
>
> I understand it to a point but an example would be great.
>
> Nathan
>
> On Jul 5, 2005, at 7:01 AM, Larry Meadors wrote:
>
>
>> Yes, it does pass the SQL directly to the driver, but unless you use
>> the $$ syntax for parameters, you should be safe with iBATIS.
>>
>> The $$ syntax is the only part of iBATIS that allows string
>> concatenation, which is the biggest source of SQL injection attacks.
>>
>> If you are using a really crappy jdbc driver, you could have issues
>> with it somehow botching things in it's implementation of prepared
>> statements, but I have not heard of a single case of that happening.
>>
>> Larry
>>
>>
>> On 7/5/05, Fabrizio Gianneschi  
>> <fabrizio.gianneschi@gruppoatlantis.com> wrote:
>>
>>
>>>
>>> Since iBatis uses PreparedStatements a lot, it's safer than old  
>>> school JDBC
>>> code, even if it's still vulnerable because it passes the SQL  
>>> directly to
>>> the driver without checking, afaik. You can always use some good  
>>> tricks to
>>> increase the robustness of your SQL, but...
>>>
>>> ...this type of checking is not responsibility of a SQL mapper  
>>> layer like
>>> iBATIS.
>>> I think you should check your user input in higher server side  
>>> layers, such
>>> as the presentation one; Struts Actions and/or ActionForms, for  
>>> example.
>>>
>>> Fab
>>>
>>>  ________________________________
>>>  Da: Pham Anh Tuan [mailto:anhtuan@ichi-corp.jp]
>>> Inviato: martedì 5 luglio 2005 12.16
>>> A: iBatis
>>> Oggetto: [HELP] Whether or not iBatis support SQL Injection?
>>>
>>>
>>>
>>> Hi all,
>>>
>>> I don't know whether or not iBatis support checking SQL Injection  
>>> or not ?
>>>
>>> plz help me :)
>>>
>>> Pham
>>>
>>
>>
>
>


Mime
View raw message