ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Meadors <larry.mead...@gmail.com>
Subject Re: R: [HELP] Whether or not iBatis support SQL Injection?
Date Tue, 05 Jul 2005 13:01:58 GMT
Yes, it does pass the SQL directly to the driver, but unless you use
the $$ syntax for parameters, you should be safe with iBATIS.

The $$ syntax is the only part of iBATIS that allows string
concatenation, which is the biggest source of SQL injection attacks.

If you are using a really crappy jdbc driver, you could have issues
with it somehow botching things in it's implementation of prepared
statements, but I have not heard of a single case of that happening.

Larry


On 7/5/05, Fabrizio Gianneschi <fabrizio.gianneschi@gruppoatlantis.com> wrote:
>  
> Since iBatis uses PreparedStatements a lot, it's safer than old school JDBC
> code, even if it's still vulnerable because it passes the SQL directly to
> the driver without checking, afaik. You can always use some good tricks to
> increase the robustness of your SQL, but... 
>   
> ...this type of checking is not responsibility of a SQL mapper layer like
> iBATIS. 
> I think you should check your user input in higher server side layers, such
> as the presentation one; Struts Actions and/or ActionForms, for example. 
>   
> Fab
>  
>  ________________________________
>  Da: Pham Anh Tuan [mailto:anhtuan@ichi-corp.jp] 
> Inviato: martedì 5 luglio 2005 12.16
> A: iBatis
> Oggetto: [HELP] Whether or not iBatis support SQL Injection?
> 
>  
>  
> Hi all, 
>   
> I don't know whether or not iBatis support checking SQL Injection or not ? 
>   
> plz help me :) 
>   
> Pham

Mime
View raw message