An additional tidbit of information, if you're using Hibernate for object persistence, it utilizes prepared statements to communicate with the underlying database.
There are various forum discussion about this, for example http://forum.hibernate.org/viewtopic.php?t=929908&highlight=sql+injection Regards, JRC On 8/8/05, Mark Wilcox <[EMAIL PROTECTED]> wrote: > > Prepared statements are "safer" because they reduce (essentially > prevent) the inclusion of raw SQL. > > All they can do is set a value of an expected SQL variable. On top of > this Java can be used to make sure that you're passing in the proper > type of business logic data. > > Mark > > > > On 8/8/05, Geoff Longman <[EMAIL PROTECTED]> wrote: > > Cool. Is there a reference somewhere that describes why prepared > > statements are safe? > > > > Not that I don't trust you all, but the info isn't for me and I will > > have no credibility without a link or something I can pass along. > > > > Thanks! > > > > Geoff > > > > On 8/8/05, Viktor Szathmary <[EMAIL PROTECTED]> wrote: > > > hi, > > > > > > On 8/8/05, Geoff Longman < [EMAIL PROTECTED]> wrote: > > > > Has anyone out there given any serious thought towards a strategy > for > > > > preventing these kinds of attacks in Tapestry forms? > > > > > > using PreparedStatements with bound variables is a good enough > > > solution for SQL insertion (plus throw in the usual basic data > > > validation for good measure). > > > > > > regards, > > > viktor > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > -- > > The Spindle guy. http://spindle.sf.net > > Get help with Spindle: > > http://lists.sourceforge.net/mailman/listinfo/spindle-user > > Announcement Feed: > > http://www.jroller.com/rss/glongman?catname=/Announcements > > Feature Updates: http://spindle.sf.net/updates > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- =================== Joel Charlesworth [EMAIL PROTECTED] [EMAIL PROTECTED]
