Sebastian Scheible wrote:to be more specific, it is possible to change the where part of the sql code, but not to execute an arbitrary piece of sql code.
Hi again, I was wondering if dbforms has any built-in protection against SQL injection or if SQL injection is meant to be prevented outside of dbforms (like f.i. by BadInputFilterValve for Tomcat which is recommended in Tomcat: The Definitive Guide).
in dbform you can "inject" (i.e., as I understand, a client that maliciously modify its request) raw sql code is through dbform's tag attributes whereClause and (new) sqlFilter, and in either way there's no protection (AFAIK).
--
Sergio Moretti
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ DbForms Mailing List
http://www.wap-force.net/dbforms
