ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zoran Avtarovski <zo...@sparecreative.com>
Subject Re: Re : OT: Preventing sql injection attack
Date Fri, 22 Feb 2008 09:14:28 GMT
That's right. But in the case of an auto complete query you want to search
words starting with your argument which needs to look like: select from
table where login = 'fre%'

By escaping any single quotes in java covers most attacks but it's a shame
there's no SQL function for STARTS_WITH(#value#).

Z.

> They are, but only if you use the #blah# notation (in iBATIS) and not $blah$.
> 
> The difference is how the variables are added to the SQL.
> 
> In the first case, it does this:
> 
> select * from employee where login = #blah# -> select * from table
> where field = ?
> 
> In the second case, if the variable blah is 'fred', it does this:
> 
> select * from employee where login = $blah$ -> select * from employee
> where login = 'fred'
> 
> No parameter there, just straight SQL...so if blah = "'fred'; drop
> table employee;--", you're screwed:
> 
> select * from employee where login = 'fred'; drop table employee;--
> 
> That will do the select, drop the table, then the "--" (as a comment)
> makes sure the remainder of the SQL on the line doesn't make the parse
> fail.
> 
> Larry
> 
> 
> On Thu, Feb 21, 2008 at 1:14 AM, Gilles Schlienger <s_gilou@yahoo.com> wrote:



Mime
View raw message