> I do not see a possibility of the aforementioned "DROP TABLE" exploit in > this case. The only "unverified" data here is "id" and it is making its way > into the query via two mechanisms that would ensure its safety: > > 1) Integer.parseInt() > 2) PreparedStatement.setInt() that is generated by <esql:parameter> element. > > I say, you're safe here.
Guys, I guess we already had an agreement that we are pretty safe with ESQL. (Just because of the prepared statements) But it's true - it's really the question if the DBMS should do the validation for us... ...but it does it very reliable;) > > <esql:parameter type="int"> > > <xsp:expr> > > Integer.parseInt( > > <xsp-request:get-parameter name="id" default="0"/> > > ) > > </xsp:expr> > > </esql:parameter> BTW: this snippets clearly states that actually cocoon does a checking first;) ..but we would be safe even without! It's a more deeper issue. everytime we ask for a request parameter we need to keep in mind that it might be evil and it needs to be checked. The question is if it wouldn't make sense to have this centralized somewhere. -- Torsten --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
