[
select * from foo where id = ?
...then a second parameter is sent to the driver to tell it that the
value of the ? placeholder is 1. The parameter 1 is not used to modify
the SQL.
]
why does the solution above can protect us from SQL Injection problems?
because, I see that finally value of ?
The difference is that the driver is responsible for escaping the
parameters, not your application. What that means in more proactical
terms is that if the parameter is '1;drop table foo;--', then the
query will fail, because it is not an integer.
So instead of dropping the table, a fairly
hey :)
I must read more about that :)
If you have any document about What that means in more proactical
terms is that if the parameter is '1;drop table foo;--', then the
query will fail, because it is not an integer, plz show me uh :)
Larry, thank you very much :)
- Original Message
Oh, wait a minute, Larry!
[
if the parameter is '1;drop table foo;--', then the
query will fail, because it is not an integer
]
As I guess, may be there's will be comparation between data type of the
column name Id with the data type of parameter which user inputted.
If so, in another case,
If so, in another case, if another column named Name, data type is
Varchar(or String), we have sql like below:
select * from user where name = ?
and ? has value is 'bowl;drop table foo;--' ... what will happen, Larry ?
The query would be considered as
select * from user where name =
Pham,
I'll chip in... more information on http://en.wikipedia.org/wiki/Sql_injection
Rewording Larry's answer...
The problem with SQL injection occurs when arguments to an SQL statement are
done by actually changing the SQL statement before execution. E.g. you add an
additional and user = +
Hi,
I just downloaded iBATIS_DBL-2.1.0.565.zip, importied source files into
WSAD, and tried to build it. I encounterted some problems:
1. Unresolvable import files:
// in file com.ibatis.db.dao.jdbc.SqlMap2DaoTransaction.java
import com.ibatis.db.dao.DaoException;
import
Where is file build.bat? I don't see it in the zip file.
Larry Meadors
Sorry, i assumed you were building it from the repository.
Larry
On 7/6/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Where is file build.bat? I don't see it in the zip file.
Larry Meadors
[EMAIL PROTECTED]To:
I'm using IBM WebSphere Applicaction Developer Integration Edition 5.1. I'm
not sure which version of JDK it uses. How do I tell? I ran java -version
and get the following:
java version 1.3.0
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build
10 matches
Mail list logo