Bob Schellink wrote: > > ORMs like Hibernate/JPA/Cayenne take care of SQL injection by using > prepared statements. If you use > raw JDBC you should use prepared statements as well. > > See the defense strategies mention here: > http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java > Thank you for the pointer Bob.
If the ORM solves this, than it's nice, but there are other cases that are not SQL injection (I don't know how they're called), but with a similar pattern: parameter attack on webapps when using: - an OODB - the Click#Form#copyTo() sends those modified params directly to the object database. - an XML persistence is used. - a file system is used for various operations - thus the parameter manipulation gains access to other files than those allowed. thanks, George. -- View this message in context: http://n2.nabble.com/How-sure-is-Click-agains-SQL-injections-tp4813027p4817046.html Sent from the click-development mailing list archive at Nabble.com.
