Return-Path: Delivered-To: apmail-incubator-empire-db-dev-archive@minotaur.apache.org Received: (qmail 78645 invoked from network); 27 Jan 2010 06:33:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 27 Jan 2010 06:33:32 -0000 Received: (qmail 23188 invoked by uid 500); 27 Jan 2010 06:33:32 -0000 Delivered-To: apmail-incubator-empire-db-dev-archive@incubator.apache.org Received: (qmail 23160 invoked by uid 500); 27 Jan 2010 06:33:31 -0000 Mailing-List: contact empire-db-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: empire-db-dev@incubator.apache.org Delivered-To: mailing list empire-db-dev@incubator.apache.org Received: (qmail 23145 invoked by uid 99); 27 Jan 2010 06:33:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jan 2010 06:33:31 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of francisdb@gmail.com designates 209.85.220.228 as permitted sender) Received: from [209.85.220.228] (HELO mail-fx0-f228.google.com) (209.85.220.228) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jan 2010 06:33:22 +0000 Received: by fxm28 with SMTP id 28so2571802fxm.20 for ; Tue, 26 Jan 2010 22:33:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=UVqF8iTmS0TBP6FdB30UamY6I91J5F0p13vNHFa7VIk=; b=BrzQgVhQHonaf212LfWvP+6TzU81EhynJrS+4yFYlpIxdlwqEgsYUEnJJUrySZRenL AZBZxjZbxsDMTRS6Jl/4meZKFRGeIazINy2WmJLbu2rG2GMiK+AyCjpEimQokBTeirAi M3vhFwzMCR8XjvHTKVDxEzKdlYvE3RPwILhEU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=oAdjnaknJwYsWXxRVPaI1zkHtTF0twDSwrU4i1R1j3Yovv7WpLTm4hc2vKo5Mt128z AsUWteP16E8sBN9pOeOEK6t5kD4tAbOtXe0YR/81tyMZPIfSE+GDCxecxdRwsd1KJzgl +GtARfXY3/C7BFrWlPSGB0JsS2Jxjoybt3xYI= MIME-Version: 1.0 Received: by 10.239.193.77 with SMTP id h13mr1028589hbi.74.1264573981211; Tue, 26 Jan 2010 22:33:01 -0800 (PST) In-Reply-To: References: From: Francis De Brabandere Date: Wed, 27 Jan 2010 07:32:41 +0100 Message-ID: <3ab983231001262232n66471e77u451e26a97986f2ac@mail.gmail.com> Subject: Re: Type checks in DBCommand in order to avoid SQL Injection To: empire-db-dev@incubator.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Would it be possible to somehow use prepared statements for this? On Wed, Jan 27, 2010 at 1:22 AM, McKinley wrote: > Would the check go into that the addSQL() -> > getObjectValue(expr.getDataType()... chain? In the case of my example, > I have passed in a string so rather than give too much deference to > the column data type, why not say "rare is the DBMS that will cast > this correctly, but the developer seems to want [where intCol1 =3D '0; > update this set that=3D\'bla\';']. Of course this requires adding a > bunch of type checks on that Object value that was passed to determine > that it is a string and should be quoted. I don't think I want any > parseInt or regexp for ';' and '--'. Just quote wrapping when the > value is character based. > > If you do add checks how about changing addSql() to addSql(boolean > safe)? addSql() would do any checks, but if you have white-listed all > your inputs you can use addSql(false) to get extra speed. > > I guess another option is that checks could be put into the > DBCompareColExpr generators like is() and isBetween() so that they > take specific types instead of Object, but that might be too much > boilerplate code. > > Thanks, > > McKinley > > > On Tue, Jan 26, 2010 at 11:37 PM, Rainer D=F6bele wro= te: >> Hi McKinley >> >> Just to let you know: >> In the Where clause of the DBCommand object we're not doing any type che= cks at all. >> Hence your SQL-Injection example below also works for other numeric colu= mns. >> >> The question is whether we should at this point or not. >> We're doing type-checks when working with DBRecord objects. >> They internally then use a DBCommand as well. >> Adding a check in DBCommand would mean a double check. >> >> I think the DBCommand is the lowest level. >> All checks should be performed at a higher level in order to avoid Overh= ead. >> >> Regards >> Rainer > --=20 http://www.somatik.be Microsoft gives you windows, Linux gives you the whole house.