ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Meadors" <larry.mead...@gmail.com>
Subject Re: Re : OT: Preventing sql injection attack
Date Thu, 21 Feb 2008 12:08:58 GMT
They are, but only if you use the #blah# notation (in iBATIS) and not $blah$.

The difference is how the variables are added to the SQL.

In the first case, it does this:

select * from employee where login = #blah# -> select * from table
where field = ?

In the second case, if the variable blah is 'fred', it does this:

select * from employee where login = $blah$ -> select * from employee
where login = 'fred'

No parameter there, just straight SQL...so if blah = "'fred'; drop
table employee;--", you're screwed:

select * from employee where login = 'fred'; drop table employee;--

That will do the select, drop the table, then the "--" (as a comment)
makes sure the remainder of the SQL on the line doesn't make the parse
fail.

Larry


On Thu, Feb 21, 2008 at 1:14 AM, Gilles Schlienger <s_gilou@yahoo.com> wrote:
> Hi all,
>
>  Aren't PreparedStatements supposed to take care of ovoiding SQL Injection already ?
>
>  I thought so. Maybe not all cases ??
>
>  Gilles
>
>  ----- Message d'origine ----
>  De : Larry Meadors <larry.meadors@gmail.com>
>  À : user-java@ibatis.apache.org
>  Envoyé le : Jeudi, 21 Février 2008, 6h51mn 53s
>  Objet : Re: OT: Preventing sql injection attack
>
>
>
>  OK,
>  then
>  another
>  option...add
>  the
>  %
>  to
>  the
>  user
>  provided
>  input.
>
>  Larry
>
>
>  On
>  Wed,
>  Feb
>  20,
>  2008
>  at
>  10:23
>  PM,
>  Zoran
>  Avtarovski
>  <zoran@sparecreative.com>
>  wrote:
>  >
>  Thanks
>  Larry,
>  >
>  >
>  But
>  no
>  joy.
>  The
>  db
>  is
>  MySQL
>  5.
>  To
>  provide
>  more
>  details
>  we
>  are
>  already
>  >
>  escaping
>  single
>  quotes
>  with
>  two
>  single
>  quotes
>  in
>  the
>  business
>  logic
>  ie
>  >
>  stringSql.replaceAll("'",
>  "''")
>  >
>  >
>  Bit
>  I
>  was
>  hoping
>  there
>  was
>  a
>  more
>  elegant
>  solution,
>  like
>  the
>  one
>  you
>  >
>  suggested
>  -
>  which
>  is
>  not
>  working
>  for
>  me.
>  >
>  >
>  Z.
>  >
>  >
>  >
>  >
>  >
>  This
>  should
>  work:
>  >
>  >
>  >
>  >
>  select
>  *
>  from
>  table
>  where
>  column
>  LIKE
>  #value#
>  ||
>  '%'
>  >
>  >
>  >
>  >
>  Larry
>  >
>  >
>  >
>  >
>  On
>  Wed,
>  Feb
>  20,
>  2008
>  at
>  9:40
>  PM,
>  Zoran
>  Avtarovski
>  >
>  >
>  <zoran@sparecreative.com>
>  wrote:
>  >
>  >>
>  We
>  have
>  a
>  web
>  application
>  with
>  an
>  ajax
>  autocomplete
>  text
>  box.
>  The
>  problem
>  is
>  >
>  >>
>  that
>  currently
>  the
>  query
>  statement
>  for
>  the
>  ajax
>  query
>  is
>  :
>  >
>  >>
>  >
>  >>
>  Select
>  *
>  from
>  table
>  where
>  column
>  LIKE
>  '$value$%'
>  >
>  >>
>  >
>  >>
>  Which
>  is
>  susceptible
>  to
>  sql
>  injection
>  attacks.
>  >
>  >>
>  >
>  >>
>  One
>  solution
>  is
>  to
>  have
>  a
>  separate
>  connection
>  pool
>  with
>  read-only
>  >
>  >>
>  privileges,
>  but
>  this
>  seems
>  blunt
>  and
>  doesn't
>  prevent
>  malicious
>  access
>  to
>  >
>  >>
>  sensitive
>  data.
>  >
>  >>
>  >
>  >>
>  >
>  >>
>  Is
>  there
>  a
>  better
>  way
>  of
>  doing
>  this?
>  >
>  >>
>  >
>  >>
>  >
>  >>
>  Z.
>  >
>  >>
>  >
>  >>
>  >
>  >>
>  >
>  >
>  >
>
>
>
>
>
>
>       _____________________________________________________________________________
>  Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail http://mail.yahoo.fr
>

Mime
View raw message