Thanks for all the information! One last question with regards to ORMs that use prepared statements...
Would the safety, or lack thereof, of these prepared statements be dependant on the JDBC driver impementation? Geoff On 8/8/05, t.n.a. <[EMAIL PROTECTED]> wrote: > Geoff Longman wrote: > > >Has anyone out there given any serious thought towards a strategy for > >preventing these kinds of attacks in Tapestry forms? > > > >examples: > > > >http://www.securiteam.com/securityreviews/5DP0N1P76E.html > > > > > I know it's not what you asked, but it seems to me that SQL injection is > not an issue when you use an object relational mapper like cayenne or > hibernate, and (from what I can tell) rarely anyone works directly with > raw SQL anymore. > This immunity simply has to do with the fact that protection form such > an attach is already integrated into the mapper so anything you pass it > should be fairly safe. > > This question has been asked, but you might have been looking in the > wrong place (Tapestry related, instead of ORM related) or you simply > don't presume your friend/colleague will use an ORM: > http://forum.hibernate.org/viewtopic.php?t=929908&highlight=mysql+jdbc+driver > http://jroller.com/comments/larrywilliams?anchor=secure_and_successful_posting_with > http://www.sitepoint.com/forums/showthread.php?t=271353 > > For what it's worth, it seems that yes, using prepared statements also > do the trick, but it's been so long since I last had to work at that > level... :) > > Cheers, > Tomislav > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- The Spindle guy. http://spindle.sf.net Get help with Spindle: http://lists.sourceforge.net/mailman/listinfo/spindle-user Announcement Feed: http://www.jroller.com/rss/glongman?catname=/Announcements Feature Updates: http://spindle.sf.net/updates --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
