I was asked the question "What is SQL injection and how can I avoid it?"
I understand it to a point but an example would be great.
Nathan
On Jul 5, 2005, at 7:01 AM, Larry Meadors wrote:
Yes, it does pass the SQL directly to the driver, but unless you use
the $$ syntax for parameters, you should be safe with iBATIS.
The $$ syntax is the only part of iBATIS that allows string
concatenation, which is the biggest source of SQL injection attacks.
If you are using a really crappy jdbc driver, you could have issues
with it somehow botching things in it's implementation of prepared
statements, but I have not heard of a single case of that happening.
Larry
On 7/5/05, Fabrizio Gianneschi
<[EMAIL PROTECTED]> wrote:
Since iBatis uses PreparedStatements a lot, it's safer than old
school JDBC
code, even if it's still vulnerable because it passes the SQL
directly to
the driver without checking, afaik. You can always use some good
tricks to
increase the robustness of your SQL, but...
...this type of checking is not responsibility of a SQL mapper
layer like
iBATIS.
I think you should check your user input in higher server side
layers, such
as the presentation one; Struts Actions and/or ActionForms, for
example.
Fab
________________________________
Da: Pham Anh Tuan [mailto:[EMAIL PROTECTED]
Inviato: martedì 5 luglio 2005 12.16
A: iBatis
Oggetto: [HELP] Whether or not iBatis support SQL Injection?
Hi all,
I don't know whether or not iBatis support checking SQL Injection
or not ?
plz help me :)
Pham
