ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Koka Kiknadze" <226...@gmail.com>
Subject Re: OT: Preventing sql injection attack
Date Fri, 22 Feb 2008 21:42:36 GMT
Think you can limit how many symbols the user can enter to some reasonable
value. If you can limit it, say to 20, you can use something like

Select * from ((((((((((((((((((((
Select * from table where column LIKE '$value$%'
))))))))))))))))))))

i.e. malicious user will have to use 20 closing parenthesis in the value -
no room left for extra SQL

Mime
View raw message