ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabio Insaccanebbia <finsaccaneb...@gmail.com>
Subject Re: [HELP] Whether or not iBatis support SQL Injection?
Date Wed, 06 Jul 2005 08:37:16 GMT
> If so, in another case, if another column named Name, data type is
> Varchar(or String), we have sql like below:
> 
> select * from user where name = ?
> 
> and ? has value is 'bowl;drop table foo;--' ... what will happen, Larry ?
> 

The query would be considered as 

select * from user where name = 'bowl;drop table foo;--'

(I guess it would just return 0 rows)

I prepared a long, detailed and complex explanation but then found
this short description..
I hope it's enough to clear the doubts.. :-)

"For instance, in Java, a secure way to build SQL statements is to
construct all queries with PreparedStatement instead of Statement
(....) When PreparedStatement is used, most JDBC drivers will prepare
a statement with the server, and then supply the parameters
separately. In either case, after the initial parsing, there is a
clear distinction between the SQL statement and the variable. The
variables are encapsulated and special characters within them are
automatically escaped in a manner suited to the target database.
Consequently, it is impossible for a hacker to pass malicious input
and have it treated as if it were the actual SQL statement— which is
necessary if the hacker is going to succeed with SQL injection
attacks."

( quoted from  http://www.devx.com/security/Article/20678/0/page/2 )
Mime
View raw message