On Mon, Dec 6, 2010 at 7:18 PM, Karl Wright <daddy...@gmail.com> wrote:
> As for the sql injection question, please elaborate. There is no UI > ability to do sql injection that I am aware of, because all the > strings you might enter are properly escaped before being incorporated > into queries. This includes queries that come via the API and > Authority Service. So I guess I need an example of how you might > cause a sql injection given the current code. > Escaping tends to only thwart casual attackers, not motivated ones or even automated tools. For example the escaping i see used here: e.g. quoteSQLString seems to only quote single-quote characters. There are a number of techniques to workaround this type of escaping, some are listed here: http://www.slideshare.net/inquis/sql-injection-not-only-and-11 In my opinion all variables should be explicitly bound via PreparedStatements.