Am Freitag, 17. Januar 2003 21:24 schrieb Hans Bergsten: > Since we're talking Java here, PreparedStatement is the simple solution > to this problem. It's been discussed in more detail here before so > search the archives if you don't understand how it solves the problem. > > Hans
Definitely, and I also should have added that. Still, as I found virtually noone I met seemed to know (or care) about this issue, I just found it worth being mentioned on this occasion. Should better have kept to myself and studied the list archives first, of course. Yet, as even some of the Java examples on Oracle Technology Network do seem quite vulnerable to such simple kinds of attack, and as recent studies by c't magazine in Germany show that much more sites are error-prone this way than one would believe, even some of the major ones, I just thought it was a good idea mentioning the problem and its causes again, as Oracle security issues and web applications were in question; but well, could be I was wrong. Never mind :) -- Chris (SCPJ2) NB: This is a cross-language problem, therefore the mentioning of regular expressions (Perl, mostly). In Java, one would skip ordinary Statements and use PreparedStatement instead, even if the query is executed just once. SQL variables are automatically checked for illegal characters that way. ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant archives, FAQs and Forums on JSPs can be found at: http://java.sun.com/products/jsp http://archives.java.sun.com/jsp-interest.html http://forums.java.sun.com http://www.jspinsider.com
