Henri Yandell schrieb:
On Jan 17, 2008 1:17 PM, Oliver Heger <[EMAIL PROTECTED]> wrote:
Henri Yandell schrieb:
Should the DatabaseConfiguration class be responsible for protecting
against SQL Injection, or should we make sure the javadoc states that
it offers no protection and leave that up to the user?
Hen
Adding a note about this topic to the documentation would certainly do
no harm.
From a short look at the code I think that chances for SQL Injection on
a correctly initialized DatabaseConfiguration (i.e. the settings for the
database table are valid) are pretty small: Everywhere
PreparedStatements are used.
Fortify was flagging for all the places where prepared statements are
built from strings with variables in them - ie) columnName etc.
I think this is a case of the SQL Injection worry being outside the
scope of the library. For example; no one is concerned that java.sql
has SQL Injection issues.
+1 to the javadoc.
Hen
I created a ticket for this issue [1], so that it won't get lost.
Oliver
[1] https://issues.apache.org/jira/browse/CONFIGURATION-304
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
