I know about SQL-Injection, but I do not see it here. Methods from list
located inside code of JayData library http://jaydata.org/ and its
developers have taken care of the safety of substituting values within
library code.
The application does not contain any plain SQL queries. Everything done
through models and properly escaped before substituting into raw SQL.
Thx for reply.
11.09.13, 22:37, Hanchett, Paul пишет:
Your attached file seems to have been lost to the list...
A classic SQL vulnerabilitiy that can be detected automatically is not
using prepared SQL statements rather than an exec query. Here's an
article that shows examples of both:
http://stackoverflow.com/questions/1703203/in-sqlite-do-prepared-statements-really-improve-performance.
The reason to use prepared statements is *not* speed but rather
security: Using prepared statements there is no way I can change the
prepared SQL statement into anotherthat command; it's relatively easy
to do with an exec, if I can control some portion of the data inserted
into the exec (usually through concatenation).
Just a thought.
Paul
Paul Hanchett
-------------------
Infotainment Engineer
MSX on behalf of Jaguar Land Rover
One World Trade Center, 121 Southwest Salmon Street, 11th Floor,
Portland, Oregon, 97204
Email: phanc...@jaguarlandrover.com <mailto:phanc...@jaguarlandrover.com>
-------------------
Business Details:
Jaguar Land Rover Limited
Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
Registered in England No: 1672070
On Tue, Sep 10, 2013 at 9:33 PM, Вячеслав Зайцев <sl...@ifaced.ru
<mailto:sl...@ifaced.ru>> wrote:
Hi. Problem with certification. Application rejected with defect
"Security vulnerabilities in WebApp is detected. For more
information about the issue, please refer to the attached file.".
Attached file is a list of methods from JayData library with name
"executeQuery" and the line number in the file. Example:
cmd.executeQuery [SqLiteProvider.js]
sqlCommand.executeQuery [SqLiteProvider.js]
operationProvider.storageProvider.executeQuery
[IndexedDbProvider.min.js, IndexedDbProvider.js]
f.storageProvider.executeQuery [jaydata.min.js]
command.executeQuery [SqLiteProvider.js]
e.entityContext.executeQuery [jaydata.min.js]
data.QueryCache.executeQuery [jaydata.min.js]
g.executeQuery [SqLiteProvider.min.js]
a.executeQuery [jaydata.min.js]
this.entityContext.executeQuery [jaydata.min.js]
There is no explanation of category of vulnerabilities and how to
reproduce it. I think that this is result of automatic code
scanner work and just a mistake, but in comments to issue no one
answered.
Who ever encountered a problem like this? How to solve?
Content ID 000000004857
Defect ID 2218460
_______________________________________________
Application-dev mailing list
Application-dev@lists.tizen.org
<mailto:Application-dev@lists.tizen.org>
https://lists.tizen.org/listinfo/application-dev
--
----------------------------------
Вячеслав Зайцев www.interfaced.ru
+7-3822-93-81-74 sl...@ifaced.ru
http://linkedin.com/in/vyatcheslav
----------------------------------
_______________________________________________
Application-dev mailing list
Application-dev@lists.tizen.org
https://lists.tizen.org/listinfo/application-dev
