Hi again,
I was wondering if dbforms has any built-in protection against SQL
injection or if SQL injection is meant to be prevented outside of
dbforms (like f.i. by BadInputFilterValve for Tomcat which is
recommended in Tomcat: The Definitive Guide).
in dbform you can "inject" (i.e., as I understand, a client that maliciously modify its request) raw sql code is through dbform's tag attributes whereClause and (new) sqlFilter, and in either way there's no protection (AFAIK). There's another problem that is handling of broken sql code, now when this occur what you receive is a blank page.
cheers, Sergio Moretti
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ DbForms Mailing List
http://www.wap-force.net/dbforms
