Return-Path: Delivered-To: apmail-ibatis-user-java-archive@www.apache.org Received: (qmail 37464 invoked from network); 10 Jul 2005 03:14:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 10 Jul 2005 03:14:20 -0000 Received: (qmail 70512 invoked by uid 500); 10 Jul 2005 03:14:20 -0000 Delivered-To: apmail-ibatis-user-java-archive@ibatis.apache.org Received: (qmail 70210 invoked by uid 500); 10 Jul 2005 03:14:19 -0000 Mailing-List: contact user-java-help@ibatis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user-java@ibatis.apache.org Delivered-To: mailing list user-java@ibatis.apache.org Received: (qmail 70197 invoked by uid 99); 10 Jul 2005 03:14:19 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Jul 2005 20:14:19 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [192.18.98.36] (HELO brmea-mail-4.sun.com) (192.18.98.36) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 09 Jul 2005 20:14:16 -0700 Received: from esunmail ([129.147.156.34]) by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id j6A3EGGY001806 for ; Sat, 9 Jul 2005 21:14:16 -0600 (MDT) Received: from xpa-fe1 (esunmail [129.147.156.34]) by edgemail1.Central.Sun.COM (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTP id <0IJE00M1Q6BR5I@edgemail1.Central.Sun.COM> for user-java@ibatis.apache.org; Sat, 09 Jul 2005 21:14:15 -0600 (MDT) Received: from [192.168.5.100] ([24.8.39.65]) by mail.sun.net (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTPSA id <0IJE00AM46BQA5@mail.sun.net> for user-java@ibatis.apache.org; Sat, 09 Jul 2005 21:14:15 -0600 (MDT) Date: Sat, 09 Jul 2005 21:14:10 -0600 From: Nathan Maves Subject: Re: R: [HELP] Whether or not iBatis support SQL Injection? In-reply-to: Sender: Nathan.Maves@Sun.COM To: user-java@ibatis.apache.org Message-id: <20514A00-D847-46BD-B49E-5791CEDB3118@sun.com> MIME-version: 1.0 X-Mailer: Apple Mail (2.730) Content-type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Content-transfer-encoding: quoted-printable References: <007c01c5814a$867bcaf0$6405a8c0@anhtuan> <20050705110232.09C0B10FB2B9@asf.osuosl.org> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I was asked the question "What is SQL injection and how can I avoid it?" I understand it to a point but an example would be great. Nathan On Jul 5, 2005, at 7:01 AM, Larry Meadors wrote: > Yes, it does pass the SQL directly to the driver, but unless you use > the $$ syntax for parameters, you should be safe with iBATIS. > > The $$ syntax is the only part of iBATIS that allows string > concatenation, which is the biggest source of SQL injection attacks. > > If you are using a really crappy jdbc driver, you could have issues > with it somehow botching things in it's implementation of prepared > statements, but I have not heard of a single case of that happening. > > Larry > > > On 7/5/05, Fabrizio Gianneschi =20 > wrote: > >> >> Since iBatis uses PreparedStatements a lot, it's safer than old =20 >> school JDBC >> code, even if it's still vulnerable because it passes the SQL =20 >> directly to >> the driver without checking, afaik. You can always use some good =20 >> tricks to >> increase the robustness of your SQL, but... >> >> ...this type of checking is not responsibility of a SQL mapper =20 >> layer like >> iBATIS. >> I think you should check your user input in higher server side =20 >> layers, such >> as the presentation one; Struts Actions and/or ActionForms, for =20 >> example. >> >> Fab >> >> ________________________________ >> Da: Pham Anh Tuan [mailto:anhtuan@ichi-corp.jp] >> Inviato: marted=EC 5 luglio 2005 12.16 >> A: iBatis >> Oggetto: [HELP] Whether or not iBatis support SQL Injection? >> >> >> >> Hi all, >> >> I don't know whether or not iBatis support checking SQL Injection =20 >> or not ? >> >> plz help me :) >> >> Pham >