jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ottinger, Joseph" <jottin...@techtarget.com>
Subject Security problem with QueryManager?
Date Thu, 05 Oct 2006 16:12:44 GMT
I was playing around with JCR's query facility and realised something a little scary. Perhaps
I'm just ignorant, but... hey, that's why I email the list, right?
When I build SQL queries, I do something like this: "select * from nt:unstructured where foo='"+bar+"'";
Oh, wait. If I was actually using JDBC, I'd *never* do this, because some fool out there will
try to set bar to something that will return more than I want it to return. To wit: bar might
equal "a' or 1=1" and lo, every node will be returned. Application error at best, exposure
of sensitive data at worst.
Then I thought, well, hey, I have XPath, right? But in XPath, I can construct a query the
same way. Hello, security hole.
Am I missing something?

View raw message